diff --git a/tests/common-acm-industrial-edge-factory.expected.yaml b/tests/common-acm-industrial-edge-factory.expected.yaml deleted file mode 100644 index 94c8254f7..000000000 --- a/tests/common-acm-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,363 +0,0 @@ ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -# This pushes out the HUB's Certificate Authorities on to the imported clusters ---- -# Source: acm/templates/policies/application-policies.yaml -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io ---- -# Source: acm/templates/policies/private-repo-policies.yaml -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} diff --git a/tests/common-acm-industrial-edge-hub.expected.yaml b/tests/common-acm-industrial-edge-hub.expected.yaml deleted file mode 100644 index 00cf4e4d9..000000000 --- a/tests/common-acm-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,733 +0,0 @@ ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -# This pushes out the HUB's Certificate Authorities on to the imported clusters ---- -# Source: acm/templates/policies/private-repo-policies.yaml -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-hub-ca-policy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-hub-ca-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-hub-ca-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-openshift-gitops-policy-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-openshift-gitops-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-factory-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-factory-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-factory-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: factory-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-hub-ca-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-openshift-gitops-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-factory-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: { - "matchExpressions": [ - { - "key": "vendor", - "operator": "In", - "values": [ - "OpenShift" - ] - } - ], - "matchLabels": { - "clusterGroup": "factory" - } -} ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-hub-ca-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-hub-ca-config-policy - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - apiVersion: v1 - type: Opaque - metadata: - name: hub-ca - namespace: golang-external-secrets - data: - hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}' - hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}' - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: imperative - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-openshift-gitops-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: openshift-gitops - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-factory-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-factory-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: mypattern-factory - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/application-policies.yaml -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: factory-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: mypattern-factory - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-factory.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - - name: global.clusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - - name: global.localClusterName - value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - - name: global.clusterPlatform - value: aws - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: clusterGroup.name - value: factory - - name: clusterGroup.isHubCluster - value: "false" - destination: - server: https://kubernetes.default.svc - namespace: mypattern-factory - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: 20 - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} diff --git a/tests/common-acm-medical-diagnosis-hub.expected.yaml b/tests/common-acm-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 5fea58d04..000000000 --- a/tests/common-acm-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,724 +0,0 @@ ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -# This pushes out the HUB's Certificate Authorities on to the imported clusters ---- -# Source: acm/templates/policies/private-repo-policies.yaml -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-hub-ca-policy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-hub-ca-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-hub-ca-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-openshift-gitops-policy-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-openshift-gitops-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-region-one-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-region-one-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-region-one-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: region-one-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: region-one-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: region-one-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-hub-ca-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-openshift-gitops-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-region-one-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: region-one-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: { - "matchLabels": { - "clusterGroup": "region-one" - } -} ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-hub-ca-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-hub-ca-config-policy - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - apiVersion: v1 - type: Opaque - metadata: - name: hub-ca - namespace: golang-external-secrets - data: - hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}' - hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}' - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: imperative - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-openshift-gitops-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: openshift-gitops - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-region-one-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-region-one-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: mypattern-region-one - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/application-policies.yaml -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: region-one-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: region-one-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: mypattern-region-one - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-region-one.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - - name: global.clusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - - name: global.localClusterName - value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - - name: global.clusterPlatform - value: aws - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: clusterGroup.name - value: region-one - - name: clusterGroup.isHubCluster - value: "false" - destination: - server: https://kubernetes.default.svc - namespace: mypattern-region-one - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: 20 - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} diff --git a/tests/common-acm-naked.expected.yaml b/tests/common-acm-naked.expected.yaml deleted file mode 100644 index 94c8254f7..000000000 --- a/tests/common-acm-naked.expected.yaml +++ /dev/null @@ -1,363 +0,0 @@ ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -# This pushes out the HUB's Certificate Authorities on to the imported clusters ---- -# Source: acm/templates/policies/application-policies.yaml -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io ---- -# Source: acm/templates/policies/private-repo-policies.yaml -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} diff --git a/tests/common-acm-normal.expected.yaml b/tests/common-acm-normal.expected.yaml deleted file mode 100644 index 6823a01b9..000000000 --- a/tests/common-acm-normal.expected.yaml +++ /dev/null @@ -1,1894 +0,0 @@ ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: aws-cd-one-w-pool-acm-provision-edge ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: v1 -kind: Secret -metadata: - name: aws-ap-acm-provision-edge-install-config -data: - # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAxCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDAKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTIKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz -type: Opaque ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: v1 -kind: Secret -metadata: - name: azure-us-acm-provision-edge-install-config -data: - # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhenVyZToKICAgIGJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZTogZG9qby1kbnMtem9uZXMKICAgIHJlZ2lvbjogZWFzdHVzCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== -type: Opaque ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: v1 -kind: Secret -metadata: - name: aws-cd-one-w-pool-acm-provision-edge-install-config - namespace: aws-cd-one-w-pool-acm-provision-edge -data: - # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWNkLW9uZS13LXBvb2wnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCmNvbXB1dGU6Ci0gaHlwZXJ0aHJlYWRpbmc6IEVuYWJsZWQKICBhcmNoaXRlY3R1cmU6IGFtZDY0CiAgbmFtZTogJ3dvcmtlcicKICByZXBsaWNhczogMwogIHBsYXRmb3JtOgogICAgYXdzOgogICAgICB0eXBlOiBtNS54bGFyZ2UKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTEKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz -type: Opaque ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: v1 -kind: Secret -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-install-config - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy -data: - # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWNkLXR3by13by1wb29sJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhd3M6CiAgICByZWdpb246IGFwLXNvdXRoZWFzdC0zCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== -type: Opaque ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -# This pushes out the HUB's Certificate Authorities on to the imported clusters ---- -# Source: acm/templates/policies/private-repo-policies.yaml -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace ---- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterClaim -metadata: - name: 'two-acm-provision-edge' - annotations: - argocd.argoproj.io/sync-wave: "20" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster.open-cluster-management.io/createmanagedcluster: "true" - labels: - clusterClaimName: two-acm-provision-edge - clusterGroup: region -spec: - clusterPoolName: azure-us-acm-provision-edge ---- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterClaim -metadata: - name: 'three-acm-provision-edge' - annotations: - argocd.argoproj.io/sync-wave: "20" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster.open-cluster-management.io/createmanagedcluster: "true" - labels: - clusterClaimName: three-acm-provision-edge - clusterGroup: region -spec: - clusterPoolName: azure-us-acm-provision-edge ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterDeployment -metadata: - name: aws-cd-one-w-pool-acm-provision-edge - namespace: aws-cd-one-w-pool-acm-provision-edge - labels: - vendor: OpenShift - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - baseDomain: blueprints.rhecoeng.com - clusterName: aws-cd-one-w-pool-acm-provision-edge - installAttemptsLimit: 1 - platform: - aws: - credentialsSecretRef: - name: aws-cd-one-w-pool-acm-provision-edge-creds - region: ap-southeast-1 - provisioning: - installConfigSecretRef: - name: aws-cd-one-w-pool-acm-provision-edge-install-config - sshPrivateKeySecretRef: - name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key - imageSetRef: - name: img4.10.18-multi-appsub - pullSecretRef: - name: aws-cd-one-w-pool-acm-provision-edge-pull-secret ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterDeployment -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy - labels: - vendor: OpenShift - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - baseDomain: blueprints.rhecoeng.com - clusterName: aws-cd-two-wo-pool-acm-provision-on-deploy - installAttemptsLimit: 1 - platform: - aws: - credentialsSecretRef: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds - region: ap-southeast-3 - provisioning: - installConfigSecretRef: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-install-config - sshPrivateKeySecretRef: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key - imageSetRef: - name: img4.10.18-multi-appsub - pullSecretRef: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret ---- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterPool -metadata: - name: "aws-ap-acm-provision-edge" - annotations: - argocd.argoproj.io/sync-wave: "10" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - cloud: aws - region: 'ap-southeast-2' - vendor: OpenShift - cluster.open-cluster-management.io/clusterset: aws-ap -spec: - size: 3 - runningCount: 0 - baseDomain: blueprints.rhecoeng.com - installConfigSecretTemplateRef: - name: aws-ap-acm-provision-edge-install-config - imageSetRef: - name: img4.10.18-multi-appsub - pullSecretRef: - name: aws-ap-acm-provision-edge-pull-secret - skipMachinePools: true # Disable MachinePool as using custom install-config - platform: - aws: - credentialsSecretRef: - name: aws-ap-acm-provision-edge-creds - region: ap-southeast-2 ---- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterPool -metadata: - name: "azure-us-acm-provision-edge" - annotations: - argocd.argoproj.io/sync-wave: "10" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - cloud: azure - region: 'eastus' - vendor: OpenShift - cluster.open-cluster-management.io/clusterset: azure-us -spec: - size: 2 - runningCount: 2 - baseDomain: blueprints.rhecoeng.com - installConfigSecretTemplateRef: - name: azure-us-acm-provision-edge-install-config - imageSetRef: - name: img4.10.18-multi-appsub - pullSecretRef: - name: azure-us-acm-provision-edge-pull-secret - skipMachinePools: true # Disable MachinePool as using custom install-config - platform: - azure: - credentialsSecretRef: - name: azure-us-acm-provision-edge-creds - region: eastus ---- -# Source: acm/templates/provision/secrets-aws.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-ap-acm-provision-edge-creds -spec: - dataFrom: - - extract: - # Expects entries called: aws_access_key_id and aws_secret_access_key - key: secret/data/hub/aws - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-ap-acm-provision-edge-creds - creationPolicy: Owner - template: - type: Opaque ---- -# Source: acm/templates/provision/secrets-aws.yaml -# For use when manually creating clusters with ACM -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-ap-acm-provision-edge-infra-creds -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - - secretKey: awsKeyId - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: awsAccessKey - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key - - secretKey: sshPublicKey - remoteRef: - key: secret/data/hub/publickey - property: content - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-ap-acm-provision-edge-infra-creds - creationPolicy: Owner - template: - type: Opaque - metadata: - labels: - cluster.open-cluster-management.io/credentials: "" - cluster.open-cluster-management.io/type: aws - data: - baseDomain: "blueprints.rhecoeng.com" - pullSecret: |- - {{ .openshiftPullSecret | toString }} - aws_access_key_id: |- - {{ .awsKeyId | toString }} - aws_secret_access_key: |- - {{ .awsAccessKey | toString }} - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} - ssh-publickey: |- - {{ .sshPublicKey | toString }} - httpProxy: "" - httpsProxy: "" - noProxy: "" - additionalTrustBundle: "" ---- -# Source: acm/templates/provision/secrets-aws.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-one-w-pool-acm-provision-edge-creds - namespace: aws-cd-one-w-pool-acm-provision-edge -spec: - dataFrom: - - extract: - # Expects entries called: aws_access_key_id and aws_secret_access_key - key: secret/data/hub/aws - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-one-w-pool-acm-provision-edge-creds - creationPolicy: Owner - template: - type: Opaque ---- -# Source: acm/templates/provision/secrets-aws.yaml -# For use when manually creating clusters with ACM -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-one-w-pool-acm-provision-edge-infra-creds - namespace: aws-cd-one-w-pool-acm-provision-edge -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - - secretKey: awsKeyId - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: awsAccessKey - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key - - secretKey: sshPublicKey - remoteRef: - key: secret/data/hub/publickey - property: content - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-one-w-pool-acm-provision-edge-infra-creds - creationPolicy: Owner - template: - type: Opaque - metadata: - labels: - cluster.open-cluster-management.io/credentials: "" - cluster.open-cluster-management.io/type: aws - data: - baseDomain: "blueprints.rhecoeng.com" - pullSecret: |- - {{ .openshiftPullSecret | toString }} - aws_access_key_id: |- - {{ .awsKeyId | toString }} - aws_secret_access_key: |- - {{ .awsAccessKey | toString }} - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} - ssh-publickey: |- - {{ .sshPublicKey | toString }} - httpProxy: "" - httpsProxy: "" - noProxy: "" - additionalTrustBundle: "" ---- -# Source: acm/templates/provision/secrets-aws.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy -spec: - dataFrom: - - extract: - # Expects entries called: aws_access_key_id and aws_secret_access_key - key: secret/data/hub/aws - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds - creationPolicy: Owner - template: - type: Opaque ---- -# Source: acm/templates/provision/secrets-aws.yaml -# For use when manually creating clusters with ACM -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-infra-creds - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - - secretKey: awsKeyId - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: awsAccessKey - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key - - secretKey: sshPublicKey - remoteRef: - key: secret/data/hub/publickey - property: content - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-infra-creds - creationPolicy: Owner - template: - type: Opaque - metadata: - labels: - cluster.open-cluster-management.io/credentials: "" - cluster.open-cluster-management.io/type: aws - data: - baseDomain: "blueprints.rhecoeng.com" - pullSecret: |- - {{ .openshiftPullSecret | toString }} - aws_access_key_id: |- - {{ .awsKeyId | toString }} - aws_secret_access_key: |- - {{ .awsAccessKey | toString }} - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} - ssh-publickey: |- - {{ .sshPublicKey | toString }} - httpProxy: "" - httpsProxy: "" - noProxy: "" - additionalTrustBundle: "" ---- -# Source: acm/templates/provision/secrets-azure.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: azure-us-acm-provision-edge-creds -spec: - data: - - secretKey: azureOsServicePrincipal - remoteRef: - key: secret/data/hub/azureOsServicePrincipal - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: azure-us-acm-provision-edge-creds - creationPolicy: Owner - template: - type: Opaque - data: - osServicePrincipal.json: |- - {{ .azureOsServicePrincipal | toString }} ---- -# Source: acm/templates/provision/secrets-azure.yaml -# For use when manually creating clusters with ACM -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: azure-us-acm-provision-edge-infra-creds -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - - secretKey: sshPublicKey - remoteRef: - key: secret/data/hub/publickey - property: content - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - - secretKey: azureOsServicePrincipal - remoteRef: - key: secret/data/hub/azureOsServicePrincipal - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: azure-us-acm-provision-edge-infra-creds - creationPolicy: Owner - template: - type: Opaque - metadata: - labels: - cluster.open-cluster-management.io/credentials: "" - cluster.open-cluster-management.io/type: aws - data: - cloudName: AzurePublicCloud - osServicePrincipal.json: |- - {{ .azureOsServicePrincipal | toString }} - baseDomain: "blueprints.rhecoeng.com" - baseDomainResourceGroupName: "dojo-dns-zones" - pullSecret: |- - {{ .openshiftPullSecret | toString }} - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} - ssh-publickey: |- - {{ .sshPublicKey | toString }} - httpProxy: "" - httpsProxy: "" - noProxy: "" - additionalTrustBundle: "" ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-ap-acm-provision-edge-pull-secret -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-ap-acm-provision-edge-pull-secret - creationPolicy: Owner - template: - type: kubernetes.io/dockerconfigjson - data: - .dockerconfigjson: |- - {{ .openshiftPullSecret | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-ap-acm-provision-edge-ssh-private-key -spec: - data: - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-ap-acm-provision-edge-ssh-private-key - creationPolicy: Owner - template: - type: Opaque - data: - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: azure-us-acm-provision-edge-pull-secret -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: azure-us-acm-provision-edge-pull-secret - creationPolicy: Owner - template: - type: kubernetes.io/dockerconfigjson - data: - .dockerconfigjson: |- - {{ .openshiftPullSecret | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: azure-us-acm-provision-edge-ssh-private-key -spec: - data: - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: azure-us-acm-provision-edge-ssh-private-key - creationPolicy: Owner - template: - type: Opaque - data: - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-one-w-pool-acm-provision-edge-pull-secret - namespace: aws-cd-one-w-pool-acm-provision-edge -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-one-w-pool-acm-provision-edge-pull-secret - creationPolicy: Owner - template: - type: kubernetes.io/dockerconfigjson - data: - .dockerconfigjson: |- - {{ .openshiftPullSecret | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key - namespace: aws-cd-one-w-pool-acm-provision-edge -spec: - data: - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key - creationPolicy: Owner - template: - type: Opaque - data: - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret - creationPolicy: Owner - template: - type: kubernetes.io/dockerconfigjson - data: - .dockerconfigjson: |- - {{ .openshiftPullSecret | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy -spec: - data: - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key - creationPolicy: Owner - template: - type: Opaque - data: - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: cluster.open-cluster-management.io/v1 -kind: ManagedCluster -metadata: - labels: - cluster.open-cluster-management.io/clusterset: acm-provision-edge - clusterGroup: region - name: aws-cd-one-w-pool-acm-provision-edge - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - hubAcceptsClient: true ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: cluster.open-cluster-management.io/v1 -kind: ManagedCluster -metadata: - labels: - cluster.open-cluster-management.io/clusterset: acm-provision-on-deploy - clusterGroup: acm-provision-on-deploy - name: aws-cd-two-wo-pool-acm-provision-on-deploy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - hubAcceptsClient: true ---- -# Source: acm/templates/provision/managedclusterset.yaml -apiVersion: cluster.open-cluster-management.io/v1beta2 -kind: ManagedClusterSet -metadata: - annotations: - cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-edge-broker - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: acm-provision-edge ---- -# Source: acm/templates/provision/managedclusterset.yaml -apiVersion: cluster.open-cluster-management.io/v1beta2 -kind: ManagedClusterSet -metadata: - annotations: - cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-on-deploy-broker - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: acm-provision-on-deploy ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-hub-ca-policy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-hub-ca-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-hub-ca-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-openshift-gitops-policy-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-openshift-gitops-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-acm-edge-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-acm-edge-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-acm-edge-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-acm-provision-edge-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-acm-provision-edge-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-acm-provision-edge-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-acm-provision-on-deploy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-acm-provision-on-deploy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-acm-provision-on-deploy-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-edge-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-edge-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-edge-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-provision-edge-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-provision-edge-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-provision-edge-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-provision-on-deploy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-provision-on-deploy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-provision-on-deploy-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-hub-ca-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-openshift-gitops-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-acm-edge-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-acm-provision-edge-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-acm-provision-on-deploy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-edge-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchLabels: - clusterGroup: acm-region ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-provision-edge-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchLabels: - clusterGroup: region ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-provision-on-deploy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchLabels: - clusterGroup: acm-provision-on-deploy ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-hub-ca-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-hub-ca-config-policy - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - apiVersion: v1 - type: Opaque - metadata: - name: hub-ca - namespace: golang-external-secrets - data: - hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}' - hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}' - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: imperative - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-openshift-gitops-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: openshift-gitops - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-acm-edge-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-acm-edge-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: mypattern-acm-edge - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-acm-provision-edge-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-acm-provision-edge-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: mypattern-acm-provision-edge - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-acm-provision-on-deploy-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-acm-provision-on-deploy-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: mypattern-acm-provision-on-deploy - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/application-policies.yaml -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-edge-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-edge-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: mypattern-acm-edge - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-acm-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - - name: global.clusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - - name: global.localClusterName - value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - - name: global.clusterPlatform - value: aws - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: clusterGroup.name - value: acm-edge - - name: clusterGroup.isHubCluster - value: "false" - destination: - server: https://kubernetes.default.svc - namespace: mypattern-acm-edge - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: 20 - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-provision-edge-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-provision-edge-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: mypattern-acm-provision-edge - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-acm-provision-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - - name: global.clusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - - name: global.localClusterName - value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - - name: global.clusterPlatform - value: aws - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: clusterGroup.name - value: acm-provision-edge - - name: clusterGroup.isHubCluster - value: "false" - destination: - server: https://kubernetes.default.svc - namespace: mypattern-acm-provision-edge - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: 20 - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-provision-on-deploy-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-provision-on-deploy-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: mypattern-acm-provision-on-deploy - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-acm-provision-on-deploy.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-on-deploy.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - - name: global.clusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - - name: global.localClusterName - value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - - name: global.clusterPlatform - value: aws - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: clusterGroup.name - value: acm-provision-on-deploy - destination: - server: https://kubernetes.default.svc - namespace: mypattern-acm-provision-on-deploy - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: 20 - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} diff --git a/tests/common-clustergroup-industrial-edge-factory.expected.yaml b/tests/common-clustergroup-industrial-edge-factory.expected.yaml deleted file mode 100644 index af0e6d0ad..000000000 --- a/tests/common-clustergroup-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,987 +0,0 @@ ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-factory - name: manuela-stormshift-line-dashboard -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-factory - name: manuela-stormshift-machine-sensor -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-factory - name: manuela-stormshift-messaging -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-factory - name: manuela-factory-ml-workspace -spec: ---- -# Source: clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: mypattern-factory - name: imperative ---- -# Source: clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: mypattern-factory - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: mypattern-factory -spec: {} ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-factory - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: - - name: stormshift - path: charts/factory/manuela-stormshift - plugin: - name: helm-with-kustomize - project: factory - - name: odh - namespace: manuela-factory-ml-workspace - path: charts/datacenter/opendatahub - project: factory - argoCD: - configManagementPlugins: - - image: quay.io/hybridcloudpatterns/utility-container:latest - name: helm-with-kustomize - pluginArgs: - - --loglevel=debug - pluginConfig: | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: helm-with-kustomize - spec: - preserveFileMode: true - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-factory.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=factory - --post-renderer ./kustomize"] - initContainers: [] - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - resourceHealthChecks: - - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - kind: PersistentVolumeClaim - resourceTrackingMethod: label - imperative: - activeDeadlineSeconds: 3600 - adminClusterRoleName: imperative-admin-cluster-role - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: - - name: test - playbook: ansible/test.yml - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: false - managedClusterGroups: {} - name: factory - namespaces: - - manuela-stormshift-line-dashboard - - manuela-stormshift-machine-sensor - - manuela-stormshift-messaging - - manuela-factory-ml-workspace - nodes: [] - operatorgroupExcludes: - - manuela-factory-ml-workspace - projects: - - factory - sharedValueFiles: [] - subscriptions: - - channel: stable - name: opendatahub-operator - source: community-operators - - channel: stable - name: seldon-operator - namespace: manuela-stormshift-messaging - source: community-operators - - channel: stable - name: amq-streams - namespace: manuela-stormshift-messaging - - channel: 7.x - name: amq-broker-rhel8 - namespace: manuela-stormshift-messaging - - channel: stable - name: red-hat-camel-k - namespace: manuela-stormshift-messaging - targetCluster: in-cluster - enabled: all - global: - clusterDomain: region.example.com - clusterPlatform: aws - clusterVersion: "4.12" - extraValueFiles: [] - git: - account: PLAINTEXT - dev_revision: main - email: SOMEWHERE@EXAMPLE.COM - hostname: github.com - hubClusterDomain: apps.hub.example.com - imageregistry: - account: PLAINTEXT - hostname: quay.io - type: quay - localClusterDomain: apps.region.example.com - namespace: pattern-namespace - options: - applicationRetryLimit: 20 - installPlanApproval: Automatic - syncPolicy: Automatic - useCSV: false - pattern: mypattern - repoURL: https://github.com/pattern-clone/mypattern - s3: - bucket: - custom: - endpoint: - enabled: false - message: - aggregation: - count: 50 - name: BUCKETNAME - region: AWSREGION - secretStore: - backend: vault - targetRevision: main - main: - clusterGroupName: datacenter - git: - repoURL: https://github.com/pattern-clone/mypattern - revision: main - multiSourceConfig: - enabled: true - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: imperative - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: "argocd-cmp-helm-with-kustomize" - namespace: mypattern-factory -data: - "plugin.yaml": | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: helm-with-kustomize - spec: - preserveFileMode: true - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-factory.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=factory - --post-renderer ./kustomize"] ---- -# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: mypattern-factory - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-admin-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-admin-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mypattern-factory-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: factory-gitops-argocd-application-controller - namespace: mypattern-factory - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: factory-gitops-argocd-server - namespace: mypattern-factory - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: factory-gitops-argocd-dex-server - namespace: mypattern-factory ---- -# Source: clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/job.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: imperative-cronjob - namespace: imperative -spec: - schedule: "*/10 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: imperative-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: test - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - ansible/test.yml - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-factory - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/core/subscriptions.yaml ---- ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: factory - namespace: mypattern-factory -spec: - description: "Pattern factory" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: stormshift - namespace: mypattern-factory - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: mypattern-factory - project: factory - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/factory/manuela-stormshift - plugin: { - "name": "helm-with-kustomize" -} - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: odh - namespace: mypattern-factory - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: manuela-factory-ml-workspace - project: factory - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/opendatahub - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-factory.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-factory.yaml" - - "/values-4.12-factory.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: factory-gitops - namespace: mypattern-factory - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: label - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - sidecarContainers: - - name: helm-with-kustomize - command: [/var/run/argocd/argocd-cmp-server] - args: [ - "--loglevel=debug" -] - image: quay.io/hybridcloudpatterns/utility-container:latest - imagePullPolicy: Always - securityContext: - runAsNonRoot: true - volumeMounts: - - mountPath: /var/run/argocd - name: var-files - - mountPath: /home/argocd/cmp-server/plugins - name: plugins - - mountPath: /tmp - name: cmp-tmp - - mountPath: /home/argocd/cmp-server/config/plugin.yaml - subPath: plugin.yaml - name: helm-with-kustomize - volumes: - - emptyDir: {} - name: cmp-tmp - - configMap: - name: "argocd-cmp-helm-with-kustomize" - name: helm-with-kustomize - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: factory-gitops-link - namespace: mypattern-factory -spec: - applicationMenu: - section: OpenShift GitOps - imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII= - href: 'https://factory-gitops-server-mypattern-factory.apps.region.example.com' - location: ApplicationMenu - text: 'Factory ArgoCD' ---- -# Source: clustergroup/templates/core/operatorgroup.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-stormshift-line-dashboard-operator-group - namespace: manuela-stormshift-line-dashboard -spec: - targetNamespaces: - - manuela-stormshift-line-dashboard ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-stormshift-machine-sensor-operator-group - namespace: manuela-stormshift-machine-sensor -spec: - targetNamespaces: - - manuela-stormshift-machine-sensor ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-stormshift-messaging-operator-group - namespace: manuela-stormshift-messaging -spec: - targetNamespaces: - - manuela-stormshift-messaging ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: opendatahub-operator - namespace: openshift-operators -spec: - name: opendatahub-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: seldon-operator - namespace: manuela-stormshift-messaging -spec: - name: seldon-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-streams - namespace: manuela-stormshift-messaging -spec: - name: amq-streams - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-broker-rhel8 - namespace: manuela-stormshift-messaging -spec: - name: amq-broker-rhel8 - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: 7.x - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: red-hat-camel-k - namespace: manuela-stormshift-messaging -spec: - name: red-hat-camel-k - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic diff --git a/tests/common-clustergroup-industrial-edge-hub.expected.yaml b/tests/common-clustergroup-industrial-edge-hub.expected.yaml deleted file mode 100644 index 9137e283f..000000000 --- a/tests/common-clustergroup-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,1918 +0,0 @@ ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: golang-external-secrets -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: external-secrets -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: open-cluster-management -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: manuela-ml-workspace -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: manuela-tst-all -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: manuela-ci -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: manuela-data-lake -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: staging -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: vault -spec: ---- -# Source: clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: mypattern-datacenter - name: imperative ---- -# Source: clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: mypattern-datacenter - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: mypattern-datacenter -spec: {} ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-datacenter - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: - acm: - ignoreDifferences: - - group: internal.open-cluster-management.io - jsonPointers: - - /spec/loggingCA - kind: ManagedClusterInfo - name: acm - namespace: open-cluster-management - path: common/acm - project: datacenter - odh: - name: odh - namespace: manuela-ml-workspace - path: charts/datacenter/opendatahub - project: datacenter - pipelines: - name: pipelines - namespace: manuela-ci - path: charts/datacenter/pipelines - project: datacenter - production-data-lake: - ignoreDifferences: - - group: apps - jsonPointers: - - /spec/replicas - kind: Deployment - - group: route.openshift.io - jsonPointers: - - /status - kind: Route - - group: image.openshift.io - jsonPointers: - - /spec/tags - kind: ImageStream - - group: apps.openshift.io - jsonPointers: - - /spec/template/spec/containers/0/image - kind: DeploymentConfig - name: production-data-lake - namespace: manuela-data-lake - path: charts/datacenter/manuela-data-lake - project: production-datalake - secrets: - name: external-secrets - namespace: external-secrets - path: charts/datacenter/external-secrets - project: golang-external-secrets - secrets-operator: - name: golang-external-secrets - namespace: golang-external-secrets - path: common/golang-external-secrets - project: golang-external-secrets - test: - name: manuela-test - namespace: manuela-tst-all - path: charts/datacenter/manuela-tst - plugin: - name: helm-with-kustomize - project: datacenter - vault: - chart: vault - name: vault - namespace: vault - overrides: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: LoadBalancer - - name: server.route.enabled - value: "true" - - name: server.route.host - value: null - - name: server.route.tls.termination - value: edge - - name: server.image.repository - value: registry.connect.redhat.com/hashicorp/vault - - name: server.image.tag - value: 1.10.3-ubi - project: datacenter - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.20.1 - argoCD: - configManagementPlugins: - - image: quay.io/hybridcloudpatterns/utility-container:latest - name: helm-with-kustomize - pluginArgs: - - --loglevel=debug - pluginConfig: | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: helm-with-kustomize - spec: - preserveFileMode: true - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-datacenter.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=datacenter - --post-renderer ./kustomize"] - initContainers: [] - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - resourceHealthChecks: - - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - kind: PersistentVolumeClaim - resourceTrackingMethod: label - imperative: - activeDeadlineSeconds: 3600 - adminClusterRoleName: imperative-admin-cluster-role - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: - - name: test - playbook: ansible/test.yml - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: true - managedClusterGroups: - factory: - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - matchLabels: - clusterGroup: factory - helmOverrides: - - name: clusterGroup.isHubCluster - value: "false" - name: factory - name: datacenter - namespaces: - - golang-external-secrets - - external-secrets - - open-cluster-management - - manuela-ml-workspace - - manuela-tst-all - - manuela-ci - - manuela-data-lake - - staging - - vault - nodes: [] - operatorgroupExcludes: - - manuela-ml-workspace - projects: - - datacenter - - production-datalake - - golang-external-secrets - - vault - sharedValueFiles: [] - subscriptions: - acm: - channel: release-2.6 - name: advanced-cluster-management - namespace: open-cluster-management - amqbroker-prod: - channel: 7.x - name: amq-broker-rhel8 - namespace: manuela-tst-all - amqstreams-prod-dev: - channel: stable - name: amq-streams - namespaces: - - manuela-data-lake - - manuela-tst-all - camelk-prod-dev: - channel: stable - name: red-hat-camel-k - namespaces: - - manuela-data-lake - - manuela-tst-all - odh: - channel: stable - name: opendatahub-operator - source: community-operators - pipelines: - channel: latest - name: openshift-pipelines-operator-rh - source: redhat-operators - seldon-prod-dev: - channel: stable - name: seldon-operator - namespaces: - - manuela-ml-workspace - - manuela-tst-all - source: community-operators - targetCluster: in-cluster - enabled: all - global: - clusterDomain: region.example.com - clusterPlatform: aws - clusterVersion: "4.12" - extraValueFiles: [] - git: - account: PLAINTEXT - dev_revision: main - email: SOMEWHERE@EXAMPLE.COM - hostname: github.com - hubClusterDomain: apps.hub.example.com - imageregistry: - account: PLAINTEXT - hostname: quay.io - type: quay - localClusterDomain: apps.region.example.com - namespace: pattern-namespace - options: - applicationRetryLimit: 20 - installPlanApproval: Automatic - syncPolicy: Automatic - useCSV: false - pattern: mypattern - repoURL: https://github.com/pattern-clone/mypattern - s3: - bucket: - custom: - endpoint: - enabled: false - message: - aggregation: - count: 50 - name: BUCKETNAME - region: AWSREGION - secretStore: - backend: vault - targetRevision: main - main: - clusterGroupName: datacenter - git: - repoURL: https://github.com/pattern-clone/mypattern - revision: main - multiSourceConfig: - enabled: true - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: imperative - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: "argocd-cmp-helm-with-kustomize" - namespace: mypattern-datacenter -data: - "plugin.yaml": | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: helm-with-kustomize - spec: - preserveFileMode: true - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-datacenter.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=datacenter - --post-renderer ./kustomize"] ---- -# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: mypattern-datacenter - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-admin-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-admin-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mypattern-datacenter-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: datacenter-gitops-argocd-application-controller - namespace: mypattern-datacenter - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: datacenter-gitops-argocd-server - namespace: mypattern-datacenter - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: datacenter-gitops-argocd-dex-server - namespace: mypattern-datacenter ---- -# Source: clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/job.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: imperative-cronjob - namespace: imperative -spec: - schedule: "*/10 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: imperative-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: test - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - ansible/test.yml - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-datacenter - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/imperative/unsealjob.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: unsealvault-cronjob - namespace: imperative -spec: - schedule: "*/5 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: unsealvault-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - -t - - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - - "common/ansible/playbooks/vault/vault.yaml" - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-datacenter - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/core/subscriptions.yaml ---- ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: datacenter - namespace: mypattern-datacenter -spec: - description: "Pattern datacenter" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: production-datalake - namespace: mypattern-datacenter -spec: - description: "Pattern production-datalake" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: golang-external-secrets - namespace: mypattern-datacenter -spec: - description: "Pattern golang-external-secrets" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: vault - namespace: mypattern-datacenter -spec: - description: "Pattern vault" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: acm - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: open-cluster-management - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/acm - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - ignoreDifferences: [ - { - "group": "internal.open-cluster-management.io", - "jsonPointers": [ - "/spec/loggingCA" - ], - "kind": "ManagedClusterInfo" - } -] - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: odh - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: manuela-ml-workspace - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/opendatahub - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: pipelines - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: manuela-ci - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/pipelines - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: production-data-lake - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: manuela-data-lake - project: production-datalake - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/manuela-data-lake - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - ignoreDifferences: [ - { - "group": "apps", - "jsonPointers": [ - "/spec/replicas" - ], - "kind": "Deployment" - }, - { - "group": "route.openshift.io", - "jsonPointers": [ - "/status" - ], - "kind": "Route" - }, - { - "group": "image.openshift.io", - "jsonPointers": [ - "/spec/tags" - ], - "kind": "ImageStream" - }, - { - "group": "apps.openshift.io", - "jsonPointers": [ - "/spec/template/spec/containers/0/image" - ], - "kind": "DeploymentConfig" - } -] - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: external-secrets - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: external-secrets - project: golang-external-secrets - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/external-secrets - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: golang-external-secrets - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: golang-external-secrets - project: golang-external-secrets - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/golang-external-secrets - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: manuela-test - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: manuela-tst-all - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/manuela-tst - plugin: { - "name": "helm-with-kustomize" -} - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: vault - project: datacenter - source: - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.20.1 - chart: vault - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: "LoadBalancer" - - name: server.route.enabled - value: "true" - - name: server.route.host - value: - - name: server.route.tls.termination - value: "edge" - - name: server.image.repository - value: "registry.connect.redhat.com/hashicorp/vault" - - name: server.image.tag - value: "1.10.3-ubi" - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: datacenter-gitops - namespace: mypattern-datacenter - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: label - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - sidecarContainers: - - name: helm-with-kustomize - command: [/var/run/argocd/argocd-cmp-server] - args: [ - "--loglevel=debug" -] - image: quay.io/hybridcloudpatterns/utility-container:latest - imagePullPolicy: Always - securityContext: - runAsNonRoot: true - volumeMounts: - - mountPath: /var/run/argocd - name: var-files - - mountPath: /home/argocd/cmp-server/plugins - name: plugins - - mountPath: /tmp - name: cmp-tmp - - mountPath: /home/argocd/cmp-server/config/plugin.yaml - subPath: plugin.yaml - name: helm-with-kustomize - volumes: - - emptyDir: {} - name: cmp-tmp - - configMap: - name: "argocd-cmp-helm-with-kustomize" - name: helm-with-kustomize - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: datacenter-gitops-link - namespace: mypattern-datacenter -spec: - applicationMenu: - section: OpenShift GitOps - imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII= - href: 'https://datacenter-gitops-server-mypattern-datacenter.apps.region.example.com' - location: ApplicationMenu - text: 'Datacenter ArgoCD' ---- -# Source: clustergroup/templates/core/operatorgroup.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: golang-external-secrets-operator-group - namespace: golang-external-secrets -spec: - targetNamespaces: - - golang-external-secrets ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: external-secrets-operator-group - namespace: external-secrets -spec: - targetNamespaces: - - external-secrets ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: open-cluster-management-operator-group - namespace: open-cluster-management -spec: - targetNamespaces: - - open-cluster-management ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-tst-all-operator-group - namespace: manuela-tst-all -spec: - targetNamespaces: - - manuela-tst-all ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-ci-operator-group - namespace: manuela-ci -spec: - targetNamespaces: - - manuela-ci ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-data-lake-operator-group - namespace: manuela-data-lake -spec: - targetNamespaces: - - manuela-data-lake ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: staging-operator-group - namespace: staging -spec: - targetNamespaces: - - staging ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: vault-operator-group - namespace: vault -spec: - targetNamespaces: - - vault ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: advanced-cluster-management - namespace: open-cluster-management -spec: - name: advanced-cluster-management - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: release-2.6 - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-broker-rhel8 - namespace: manuela-tst-all -spec: - name: amq-broker-rhel8 - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: 7.x - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-streams - namespace: manuela-data-lake -spec: - name: amq-streams - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-streams - namespace: manuela-tst-all -spec: - name: amq-streams - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: red-hat-camel-k - namespace: manuela-data-lake -spec: - name: red-hat-camel-k - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: red-hat-camel-k - namespace: manuela-tst-all -spec: - name: red-hat-camel-k - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: opendatahub-operator - namespace: openshift-operators -spec: - name: opendatahub-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-pipelines-operator-rh - namespace: openshift-operators -spec: - name: openshift-pipelines-operator-rh - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: latest - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: seldon-operator - namespace: manuela-ml-workspace -spec: - name: seldon-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: seldon-operator - namespace: manuela-tst-all -spec: - name: seldon-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic diff --git a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index a1c34b947..000000000 --- a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,2058 +0,0 @@ ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: open-cluster-management -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: openshift-serverless -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: opendatahub -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: openshift-storage -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: xraylab-1 -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: knative-serving -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: staging -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: vault -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: golang-external-secrets -spec: ---- -# Source: clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: mypattern-hub - name: imperative ---- -# Source: clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: mypattern-hub - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: mypattern-hub -spec: {} ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-hub - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: - golang-external-secrets: - name: golang-external-secrets - namespace: golang-external-secrets - path: common/golang-external-secrets - project: hub - kafdrop: - name: kafdrop - namespace: xraylab-1 - path: charts/all/kafdrop - project: medical-diagnosis - kafka: - name: kafka - namespace: xraylab-1 - path: charts/all/kafka - project: medical-diagnosis - opendatahub: - name: odh - namespace: opendatahub - path: charts/all/opendatahub - project: medical-diagnosis - openshift-data-foundations: - name: odf - namespace: openshift-storage - path: charts/all/openshift-data-foundations - project: medical-diagnosis - openshift-serverless: - name: serverless - namespace: xraylab-1 - path: charts/all/openshift-serverless - project: medical-diagnosis - service-account: - name: xraylab-service-account - namespace: xraylab-1 - path: charts/all/medical-diagnosis/service-account - project: medical-diagnosis - vault: - chart: vault - name: vault - namespace: vault - overrides: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: LoadBalancer - - name: server.route.enabled - value: "true" - - name: server.route.host - value: null - - name: server.route.tls.termination - value: edge - - name: server.image.repository - value: registry.connect.redhat.com/hashicorp/vault - - name: server.image.tag - value: 1.10.3-ubi - project: hub - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.20.1 - xraylab-database: - name: xraylab-database - namespace: xraylab-1 - path: charts/all/medical-diagnosis/database - project: medical-diagnosis - xraylab-grafana-dashboards: - name: xraylab-grafana-dashboards - namespace: xraylab-1 - path: charts/all/medical-diagnosis/grafana - project: medical-diagnosis - xraylab-image-generator: - ignoreDifferences: - - group: apps.openshift.io - jqPathExpressions: - - .spec.template.spec.containers[].image - kind: DeploymentConfig - name: xraylab-image-generator - namespace: xraylab-1 - path: charts/all/medical-diagnosis/image-generator - project: medical-diagnosis - xraylab-image-server: - ignoreDifferences: - - group: apps.openshift.io - jqPathExpressions: - - .spec.template.spec.containers[].image - kind: DeploymentConfig - name: xraylab-image-server - namespace: xraylab-1 - path: charts/all/medical-diagnosis/image-server - project: medical-diagnosis - xraylab-init: - name: xraylab-init - namespace: xraylab-1 - path: charts/all/medical-diagnosis/xray-init - project: medical-diagnosis - argoCD: - configManagementPlugins: [] - initContainers: [] - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - resourceHealthChecks: - - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - kind: PersistentVolumeClaim - resourceTrackingMethod: label - imperative: - activeDeadlineSeconds: 3600 - adminClusterRoleName: imperative-admin-cluster-role - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: - - name: test - playbook: ansible/test.yml - timeout: 234 - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: true - managedClusterGroups: - region-one: - clusterSelector: - matchLabels: - clusterGroup: region-one - helmOverrides: - - name: clusterGroup.isHubCluster - value: false - name: region-one - name: hub - namespaces: - - open-cluster-management - - openshift-serverless - - opendatahub - - openshift-storage - - xraylab-1 - - knative-serving - - staging - - vault - - golang-external-secrets - nodes: [] - projects: - - hub - - medical-diagnosis - sharedValueFiles: [] - subscriptions: - amq-streams: - channel: stable - name: amq-streams - namespace: xraylab-1 - grafana: - channel: v4 - name: grafana-operator - namespace: xraylab-1 - source: community-operators - odf: - channel: stable-4.11 - name: odf-operator - namespace: openshift-storage - opendatahub: - name: opendatahub-operator - source: community-operators - severless: - channel: stable - name: serverless-operator - targetCluster: in-cluster - enabled: all - global: - clusterDomain: region.example.com - clusterPlatform: aws - clusterVersion: "4.12" - extraValueFiles: [] - git: - account: PLAINTEXT - dev_revision: main - email: SOMEWHERE@EXAMPLE.COM - hostname: github.com - hubClusterDomain: apps.hub.example.com - imageregistry: - account: PLAINTEXT - hostname: quay.io - type: quay - localClusterDomain: apps.region.example.com - namespace: pattern-namespace - options: - applicationRetryLimit: 20 - installPlanApproval: Automatic - syncPolicy: Automatic - useCSV: false - pattern: mypattern - repoURL: https://github.com/pattern-clone/mypattern - s3: - bucket: - custom: - endpoint: - enabled: false - message: - aggregation: - count: 50 - name: BUCKETNAME - region: AWSREGION - secretStore: - backend: vault - targetRevision: main - main: - clusterGroupName: datacenter - git: - repoURL: https://github.com/pattern-clone/mypattern - revision: main - multiSourceConfig: - enabled: true - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: imperative - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: mypattern-hub - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-admin-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-admin-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mypattern-hub-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: hub-gitops-argocd-application-controller - namespace: mypattern-hub - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: hub-gitops-argocd-server - namespace: mypattern-hub - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: hub-gitops-argocd-dex-server - namespace: mypattern-hub ---- -# Source: clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/job.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: imperative-cronjob - namespace: imperative -spec: - schedule: "*/10 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: imperative-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: test - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "234" - - ansible-playbook - - -e - - "@/values/values.yaml" - - ansible/test.yml - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-hub - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/imperative/unsealjob.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: unsealvault-cronjob - namespace: imperative -spec: - schedule: "*/5 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: unsealvault-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - -t - - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - - "common/ansible/playbooks/vault/vault.yaml" - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-hub - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/core/subscriptions.yaml ---- ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: hub - namespace: mypattern-hub -spec: - description: "Pattern hub" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: medical-diagnosis - namespace: mypattern-hub -spec: - description: "Pattern medical-diagnosis" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: golang-external-secrets - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: golang-external-secrets - project: hub - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/golang-external-secrets - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kafdrop - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/kafdrop - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kafka - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/kafka - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: odh - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: opendatahub - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/opendatahub - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: odf - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: openshift-storage - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/openshift-data-foundations - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: serverless - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/openshift-serverless - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-service-account - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/service-account - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: vault - project: hub - source: - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.20.1 - chart: vault - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: "LoadBalancer" - - name: server.route.enabled - value: "true" - - name: server.route.host - value: - - name: server.route.tls.termination - value: "edge" - - name: server.image.repository - value: "registry.connect.redhat.com/hashicorp/vault" - - name: server.image.tag - value: "1.10.3-ubi" - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-database - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/database - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-grafana-dashboards - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/grafana - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-image-generator - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/image-generator - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - ignoreDifferences: [ - { - "group": "apps.openshift.io", - "jqPathExpressions": [ - ".spec.template.spec.containers[].image" - ], - "kind": "DeploymentConfig" - } -] - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-image-server - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/image-server - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - ignoreDifferences: [ - { - "group": "apps.openshift.io", - "jqPathExpressions": [ - ".spec.template.spec.containers[].image" - ], - "kind": "DeploymentConfig" - } -] - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-init - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/xray-init - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: hub-gitops - namespace: mypattern-hub - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: label - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: hub-gitops-link - namespace: mypattern-hub -spec: - applicationMenu: - section: OpenShift GitOps - imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII= - href: 'https://hub-gitops-server-mypattern-hub.apps.region.example.com' - location: ApplicationMenu - text: 'Hub ArgoCD' ---- -# Source: clustergroup/templates/core/operatorgroup.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: open-cluster-management-operator-group - namespace: open-cluster-management -spec: - targetNamespaces: - - open-cluster-management ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: openshift-serverless-operator-group - namespace: openshift-serverless -spec: - targetNamespaces: - - openshift-serverless ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: opendatahub-operator-group - namespace: opendatahub -spec: - targetNamespaces: - - opendatahub ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: openshift-storage-operator-group - namespace: openshift-storage -spec: - targetNamespaces: - - openshift-storage ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: xraylab-1-operator-group - namespace: xraylab-1 -spec: - targetNamespaces: - - xraylab-1 ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: knative-serving-operator-group - namespace: knative-serving -spec: - targetNamespaces: - - knative-serving ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: staging-operator-group - namespace: staging -spec: - targetNamespaces: - - staging ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: vault-operator-group - namespace: vault -spec: - targetNamespaces: - - vault ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: golang-external-secrets-operator-group - namespace: golang-external-secrets -spec: - targetNamespaces: - - golang-external-secrets ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-streams - namespace: xraylab-1 -spec: - name: amq-streams - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: grafana-operator - namespace: xraylab-1 -spec: - name: grafana-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: v4 - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: odf-operator - namespace: openshift-storage -spec: - name: odf-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable-4.11 - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: opendatahub-operator - namespace: openshift-operators -spec: - name: opendatahub-operator - source: community-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: serverless-operator - namespace: openshift-operators -spec: - name: serverless-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic diff --git a/tests/common-clustergroup-naked.expected.yaml b/tests/common-clustergroup-naked.expected.yaml deleted file mode 100644 index 7a9f94b25..000000000 --- a/tests/common-clustergroup-naked.expected.yaml +++ /dev/null @@ -1,588 +0,0 @@ ---- -# Source: clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: common-example - name: imperative ---- -# Source: clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: common-example - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: common-example -spec: {} ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-example - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: {} - argoCD: - configManagementPlugins: [] - initContainers: [] - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - resourceHealthChecks: - - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - kind: PersistentVolumeClaim - resourceTrackingMethod: label - imperative: - activeDeadlineSeconds: 3600 - adminClusterRoleName: imperative-admin-cluster-role - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: [] - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: true - managedClusterGroups: {} - name: example - namespaces: [] - nodes: [] - projects: [] - sharedValueFiles: [] - subscriptions: {} - targetCluster: in-cluster - enabled: all - global: - extraValueFiles: [] - options: - applicationRetryLimit: 20 - installPlanApproval: Automatic - syncPolicy: Automatic - useCSV: true - pattern: common - secretStore: - backend: vault - targetRevision: main - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: imperative - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: common-example - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-admin-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-admin-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-example-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: example-gitops-argocd-application-controller - namespace: common-example - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: example-gitops-argocd-server - namespace: common-example - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: example-gitops-argocd-dex-server - namespace: common-example ---- -# Source: clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/unsealjob.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: unsealvault-cronjob - namespace: imperative -spec: - schedule: "*/5 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: unsealvault-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL=""; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - -t - - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - - "common/ansible/playbooks/vault/vault.yaml" - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: example-gitops - namespace: common-example - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: label - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: example-gitops-link - namespace: common-example -spec: - applicationMenu: - section: OpenShift GitOps - imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII= - href: 'https://example-gitops-server-common-example.' - location: ApplicationMenu - text: 'Example ArgoCD' diff --git a/tests/common-clustergroup-normal.expected.yaml b/tests/common-clustergroup-normal.expected.yaml deleted file mode 100644 index a5326dc5b..000000000 --- a/tests/common-clustergroup-normal.expected.yaml +++ /dev/null @@ -1,1506 +0,0 @@ ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: open-cluster-management - labels: - argocd.argoproj.io/managed-by: mypattern-example - kubernetes.io/os: "linux" - openshift.io/node-selector: "" - annotations: - openshift.io/cluster-monitoring: "true" - owner: "namespace owner" -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: application-ci - labels: - argocd.argoproj.io/managed-by: mypattern-example -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: exclude-targetns - labels: - argocd.argoproj.io/managed-by: mypattern-example -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-example - name: include-ci -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-example - name: exclude-og -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: totally-exclude-og - labels: - argocd.argoproj.io/managed-by: mypattern-example -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: include-default-og - labels: - argocd.argoproj.io/managed-by: mypattern-example -spec: ---- -# Source: clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: mypattern-example - name: imperative ---- -# Source: clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: mypattern-example - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: mypattern-example -spec: {} ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-example - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: - acm: - ignoreDifferences: - - group: internal.open-cluster-management.io - jsonPointers: - - /spec/loggingCA - kind: ManagedClusterInfo - name: acm - namespace: open-cluster-management - path: common/acm - project: datacenter - pipe: - extraValueFiles: - - /values/4.12/aws.yaml - name: pipelines - namespace: application-ci - path: charts/datacenter/pipelines - project: datacenter - argoCD: - configManagementPlugins: [] - initContainers: [] - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - resourceHealthChecks: - - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - kind: PersistentVolumeClaim - resourceTrackingMethod: label - imperative: - activeDeadlineSeconds: 3600 - adminClusterRoleName: imperative-admin-cluster-role - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: - - name: test - playbook: ansible/test.yml - timeout: 234 - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: true - managedClusterGroups: - - acmlabels: - - name: clusterGroup - value: acm-region - helmOverrides: - - name: clusterGroup.isHubCluster - value: "false" - name: acm-edge - targetRevision: main - - acmlabels: - - name: clusterGroup - value: region - clusterDeployments: - myFirstCluster: - baseDomain: blueprints.rhecoeng.com - name: aws-cd-one-w-pool - openshiftVersion: 4.10.18 - platform: - aws: - region: ap-southeast-1 - clusterPools: - exampleAWSPool: - baseDomain: blueprints.rhecoeng.com - controlPlane: - count: 1 - platform: - aws: - type: m5.xlarge - name: aws-ap - openshiftVersion: 4.10.18 - platform: - aws: - region: ap-southeast-2 - size: 3 - workers: - count: 0 - exampleAzurePool: - baseDomain: blueprints.rhecoeng.com - clusters: - - Two - - three - name: azure-us - openshiftVersion: 4.10.18 - platform: - azure: - baseDomainResourceGroupName: dojo-dns-zones - region: eastus - helmOverrides: - - name: clusterGroup.isHubCluster - value: "false" - name: acm-provision-edge - targetRevision: main - - clusterDeployments: - mySecondCluster: - baseDomain: blueprints.rhecoeng.com - name: aws-cd-two-wo-pool - openshiftVersion: 4.10.18 - platform: - aws: - region: ap-southeast-3 - name: acm-provision-on-deploy - - helmOverrides: - - name: clusterGroup.isHubCluster - value: "false" - hostedArgoSites: - - domain: perth1.beekhof.net - name: perth - - domain: syd.beekhof.net - name: sydney - name: argo-edge - name: example - namespaces: - - open-cluster-management: - annotations: - openshift.io/cluster-monitoring: "true" - owner: namespace owner - labels: - kubernetes.io/os: linux - openshift.io/node-selector: "" - - application-ci: - operatorGroup: true - targetNamespaces: - - application-ci - - other-namespace - - exclude-targetns: - operatorGroup: true - targetNamespaces: null - - include-ci - - exclude-og - - totally-exclude-og: - operatorGroup: false - - include-default-og: - operatorGroup: true - nodes: - - m-m00.cluster.example.tld: - labels: - cluster.ocs.openshift.io/openshift-storage: "" - - m-m01.cluster.example.tld: - labels: - cluster.ocs.openshift.io/openshift-storage: "" - - m-m02.cluster.example.tld: - labels: - cluster.ocs.openshift.io/openshift-storage: "" - operatorgroupExcludes: - - exclude-og - projects: - - datacenter - scheduler: - mastersSchedulable: true - sharedValueFiles: - - /values/aws.yaml - - /values/4.12.yaml - subscriptions: - acm: - channel: release-2.4 - csv: advanced-cluster-management.v2.4.1 - name: advanced-cluster-management - namespace: open-cluster-management - odh: - csv: opendatahub-operator.v1.1.0 - disabled: true - name: opendatahub-operator - source: community-operators - pipelines: - csv: redhat-openshift-pipelines.v1.5.2 - name: openshift-pipelines-operator-rh - targetCluster: in-cluster - enabled: all - global: - clusterDomain: region.example.com - clusterPlatform: aws - clusterVersion: "4.12" - extraValueFiles: [] - git: - account: PLAINTEXT - dev_revision: main - email: SOMEWHERE@EXAMPLE.COM - hostname: github.com - hubClusterDomain: apps.hub.example.com - imageregistry: - account: PLAINTEXT - hostname: quay.io - type: quay - localClusterDomain: apps.region.example.com - multiClusterTarget: all - namespace: pattern-namespace - options: - applicationRetryLimit: 20 - installPlanApproval: Automatic - syncPolicy: Automatic - useCSV: false - pattern: mypattern - repoURL: https://github.com/pattern-clone/mypattern - s3: - bucket: - custom: - endpoint: - enabled: false - message: - aggregation: - count: 50 - name: BUCKETNAME - region: AWSREGION - secretStore: - backend: vault - targetRevision: main - main: - clusterGroupName: datacenter - git: - repoURL: https://github.com/pattern-clone/mypattern - revision: main - multiSourceConfig: - enabled: true - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: imperative - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: mypattern-example - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-admin-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-admin-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mypattern-example-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: example-gitops-argocd-application-controller - namespace: mypattern-example - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: example-gitops-argocd-server - namespace: mypattern-example - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: example-gitops-argocd-dex-server - namespace: mypattern-example ---- -# Source: clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/job.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: imperative-cronjob - namespace: imperative -spec: - schedule: "*/10 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: imperative-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: test - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "234" - - ansible-playbook - - -e - - "@/values/values.yaml" - - ansible/test.yml - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/imperative/unsealjob.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: unsealvault-cronjob - namespace: imperative -spec: - schedule: "*/5 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: unsealvault-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - -t - - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - - "common/ansible/playbooks/vault/vault.yaml" - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- ---- -# Source: clustergroup/templates/core/subscriptions.yaml ---- ---- -# Source: clustergroup/templates/plumbing/hosted-sites.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: argo-edge - namespace: openshift-gitops -spec: - description: "Cluster Group argo-edge" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: datacenter - namespace: mypattern-example -spec: - description: "Pattern datacenter" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: acm - namespace: mypattern-example - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: open-cluster-management - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/acm - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-example.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-example.yaml" - - "/values-4.12-example.yaml" - - "/values/aws.yaml" - - "/values/4.12.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - ignoreDifferences: [ - { - "group": "internal.open-cluster-management.io", - "jsonPointers": [ - "/spec/loggingCA" - ], - "kind": "ManagedClusterInfo" - } -] - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: pipelines - namespace: mypattern-example - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: application-ci - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/pipelines - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-example.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-example.yaml" - - "/values-4.12-example.yaml" - - "/values/aws.yaml" - - "/values/4.12.yaml" - - "/values/4.12/aws.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/hosted-sites.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mypattern-argo-edge-perth - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - project: argo-edge - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-argo-edge.yaml" - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: apps.perth1.beekhof.net - - name: global.clusterDomain - value: perth1.beekhof.net - - name: enabled - value: core - - name: clusterGroup.name - value: argo-edge - - name: clusterGroup.targetCluster - value: perth - - name: clusterGroup.hostedSite.secretsPath - value: secret/data/hub/cluster_perth - - name: clusterGroup.isHubCluster - value: "false" - destination: - name: perth - namespace: mypattern-argo-edge - syncPolicy: - automated: - selfHeal: true - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: clustergroup/templates/plumbing/hosted-sites.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mypattern-argo-edge-perth-plumbing - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - project: argo-edge - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-argo-edge.yaml" - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: apps.perth1.beekhof.net - - name: global.clusterDomain - value: perth1.beekhof.net - - name: enabled - value: plumbing - - name: clusterGroup.name - value: argo-edge - - name: clusterGroup.targetCluster - value: perth - - name: clusterGroup.hostedSite.secretsPath - value: secret/data/hub/cluster_perth - - name: clusterGroup.isHubCluster - value: "false" - destination: - name: in-cluster - namespace: openshift-gitops - syncPolicy: - automated: - selfHeal: true - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: clustergroup/templates/plumbing/hosted-sites.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mypattern-argo-edge-sydney - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - project: argo-edge - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-argo-edge.yaml" - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: apps.syd.beekhof.net - - name: global.clusterDomain - value: syd.beekhof.net - - name: enabled - value: core - - name: clusterGroup.name - value: argo-edge - - name: clusterGroup.targetCluster - value: sydney - - name: clusterGroup.hostedSite.secretsPath - value: secret/data/hub/cluster_sydney - - name: clusterGroup.isHubCluster - value: "false" - destination: - name: sydney - namespace: mypattern-argo-edge - syncPolicy: - automated: - selfHeal: true - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: clustergroup/templates/plumbing/hosted-sites.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mypattern-argo-edge-sydney-plumbing - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - project: argo-edge - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-argo-edge.yaml" - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: apps.syd.beekhof.net - - name: global.clusterDomain - value: syd.beekhof.net - - name: enabled - value: plumbing - - name: clusterGroup.name - value: argo-edge - - name: clusterGroup.targetCluster - value: sydney - - name: clusterGroup.hostedSite.secretsPath - value: secret/data/hub/cluster_sydney - - name: clusterGroup.isHubCluster - value: "false" - destination: - name: in-cluster - namespace: openshift-gitops - syncPolicy: - automated: - selfHeal: true - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: example-gitops - namespace: mypattern-example - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: label - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: example-gitops-link - namespace: mypattern-example -spec: - applicationMenu: - section: OpenShift GitOps - imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII= - href: 'https://example-gitops-server-mypattern-example.apps.region.example.com' - location: ApplicationMenu - text: 'Example ArgoCD' ---- -# Source: clustergroup/templates/core/nodes.yaml -apiVersion: v1 -kind: Node -metadata: - name: m-m00.cluster.example.tld - labels: - argocd.argoproj.io/managed-by: mypattern-example - cluster.ocs.openshift.io/openshift-storage: "" ---- -# Source: clustergroup/templates/core/nodes.yaml -apiVersion: v1 -kind: Node -metadata: - name: m-m01.cluster.example.tld - labels: - argocd.argoproj.io/managed-by: mypattern-example - cluster.ocs.openshift.io/openshift-storage: "" ---- -# Source: clustergroup/templates/core/nodes.yaml -apiVersion: v1 -kind: Node -metadata: - name: m-m02.cluster.example.tld - labels: - argocd.argoproj.io/managed-by: mypattern-example - cluster.ocs.openshift.io/openshift-storage: "" ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: application-ci-operator-group - namespace: application-ci -spec: - targetNamespaces: - - application-ci - - other-namespace ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: exclude-targetns-operator-group - namespace: exclude-targetns ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: include-ci-operator-group - namespace: include-ci -spec: - targetNamespaces: - - include-ci ---- -# Source: clustergroup/templates/core/operatorgroup.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: include-default-og-operator-group - namespace: include-default-og -spec: - targetNamespaces: - - include-default-og ---- -# Source: clustergroup/templates/core/scheduler.yaml -apiVersion: config.openshift.io/v1 -kind: Scheduler -metadata: - name: cluster -spec: - mastersSchedulable: true ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: advanced-cluster-management - namespace: open-cluster-management -spec: - name: advanced-cluster-management - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: release-2.4 - installPlanApproval: Automatic - startingCSV: advanced-cluster-management.v2.4.1 ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-pipelines-operator-rh - namespace: openshift-operators -spec: - name: openshift-pipelines-operator-rh - source: redhat-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic - startingCSV: redhat-openshift-pipelines.v1.5.2 diff --git a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml deleted file mode 100644 index 19c1f8c08..000000000 --- a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,13143 +0,0 @@ ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: common-golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - acraccesstoken - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - shortNames: - - acraccesstoken - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns a Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - Configuration used to authenticate with Azure using static - credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - items: - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - properties: - message: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - ecrauthorizationtoken - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - shortNames: - - ecrauthorizationtoken - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an - authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Merge - - None - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - fake - kind: Fake - listKind: FakeList - plural: fakes - shortNames: - - fake - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - gcraccesstoken - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - shortNames: - - gcraccesstoken - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - githubaccesstoken - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - shortNames: - - githubaccesstoken - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - properties: - secretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - url: - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - password - kind: Password - listKind: PasswordList - plural: passwords - shortNames: - - password - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - pushsecrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' - enum: - - Delete - - None - type: string - refreshInterval: - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - properties: - kind: - default: SecretStore - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - properties: - secret: - description: Select a Secret to Push. - properties: - name: - description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. - type: string - required: - - name - type: object - required: - - secret - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - vaultdynamicsecret - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - shortNames: - - vaultdynamicsecret - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - enum: - - Data - - Auth - type: string - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - webhook - kind: Webhook - listKind: WebhookList - plural: webhooks - shortNames: - - webhookl - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-view - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-edit - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: common-golang-external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: common-golang-external-secrets-controller -subjects: - - name: common-golang-external-secrets - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: common-golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: common-golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: common-golang-external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: common-golang-external-secrets - namespace: default ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: 10250 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=common-golang-external-secrets-webhook - - --service-namespace=default - - --secret-name=common-golang-external-secrets-webhook - - --secret-namespace=default - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: common-golang-external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=common-golang-external-secrets-webhook.default.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: common-golang-external-secrets-webhook ---- -# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.apps.hub.example.com - path: secret - # Version of KV backend - version: v2 - - caProvider: - type: Secret - name: hub-ca - key: hub-kube-root-ca.crt - namespace: golang-external-secrets - - auth: - kubernetes: - - mountPath: region.example.com - role: region.example.com-role - - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml deleted file mode 100644 index 056054bad..000000000 --- a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,13143 +0,0 @@ ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: common-golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - acraccesstoken - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - shortNames: - - acraccesstoken - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns a Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - Configuration used to authenticate with Azure using static - credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - items: - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - properties: - message: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - ecrauthorizationtoken - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - shortNames: - - ecrauthorizationtoken - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an - authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Merge - - None - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - fake - kind: Fake - listKind: FakeList - plural: fakes - shortNames: - - fake - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - gcraccesstoken - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - shortNames: - - gcraccesstoken - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - githubaccesstoken - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - shortNames: - - githubaccesstoken - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - properties: - secretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - url: - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - password - kind: Password - listKind: PasswordList - plural: passwords - shortNames: - - password - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - pushsecrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' - enum: - - Delete - - None - type: string - refreshInterval: - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - properties: - kind: - default: SecretStore - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - properties: - secret: - description: Select a Secret to Push. - properties: - name: - description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. - type: string - required: - - name - type: object - required: - - secret - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - vaultdynamicsecret - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - shortNames: - - vaultdynamicsecret - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - enum: - - Data - - Auth - type: string - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - webhook - kind: Webhook - listKind: WebhookList - plural: webhooks - shortNames: - - webhookl - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-view - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-edit - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: common-golang-external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: common-golang-external-secrets-controller -subjects: - - name: common-golang-external-secrets - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: common-golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: common-golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: common-golang-external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: common-golang-external-secrets - namespace: default ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: 10250 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=common-golang-external-secrets-webhook - - --service-namespace=default - - --secret-name=common-golang-external-secrets-webhook - - --secret-namespace=default - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: common-golang-external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=common-golang-external-secrets-webhook.default.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: common-golang-external-secrets-webhook ---- -# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.apps.hub.example.com - path: secret - # Version of KV backend - version: v2 - - caProvider: - type: ConfigMap - name: kube-root-ca.crt - key: ca.crt - namespace: golang-external-secrets - - auth: - kubernetes: - - mountPath: hub - role: hub-role - - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 056054bad..000000000 --- a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,13143 +0,0 @@ ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: common-golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - acraccesstoken - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - shortNames: - - acraccesstoken - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns a Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - Configuration used to authenticate with Azure using static - credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - items: - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - properties: - message: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - ecrauthorizationtoken - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - shortNames: - - ecrauthorizationtoken - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an - authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Merge - - None - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - fake - kind: Fake - listKind: FakeList - plural: fakes - shortNames: - - fake - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - gcraccesstoken - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - shortNames: - - gcraccesstoken - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - githubaccesstoken - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - shortNames: - - githubaccesstoken - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - properties: - secretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - url: - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - password - kind: Password - listKind: PasswordList - plural: passwords - shortNames: - - password - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - pushsecrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' - enum: - - Delete - - None - type: string - refreshInterval: - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - properties: - kind: - default: SecretStore - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - properties: - secret: - description: Select a Secret to Push. - properties: - name: - description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. - type: string - required: - - name - type: object - required: - - secret - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - vaultdynamicsecret - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - shortNames: - - vaultdynamicsecret - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - enum: - - Data - - Auth - type: string - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - webhook - kind: Webhook - listKind: WebhookList - plural: webhooks - shortNames: - - webhookl - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-view - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-edit - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: common-golang-external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: common-golang-external-secrets-controller -subjects: - - name: common-golang-external-secrets - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: common-golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: common-golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: common-golang-external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: common-golang-external-secrets - namespace: default ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: 10250 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=common-golang-external-secrets-webhook - - --service-namespace=default - - --secret-name=common-golang-external-secrets-webhook - - --secret-namespace=default - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: common-golang-external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=common-golang-external-secrets-webhook.default.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: common-golang-external-secrets-webhook ---- -# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.apps.hub.example.com - path: secret - # Version of KV backend - version: v2 - - caProvider: - type: ConfigMap - name: kube-root-ca.crt - key: ca.crt - namespace: golang-external-secrets - - auth: - kubernetes: - - mountPath: hub - role: hub-role - - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/tests/common-golang-external-secrets-naked.expected.yaml b/tests/common-golang-external-secrets-naked.expected.yaml deleted file mode 100644 index 3d12586bb..000000000 --- a/tests/common-golang-external-secrets-naked.expected.yaml +++ /dev/null @@ -1,13143 +0,0 @@ ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: common-golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - acraccesstoken - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - shortNames: - - acraccesstoken - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns a Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - Configuration used to authenticate with Azure using static - credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - items: - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - properties: - message: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - ecrauthorizationtoken - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - shortNames: - - ecrauthorizationtoken - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an - authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Merge - - None - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - fake - kind: Fake - listKind: FakeList - plural: fakes - shortNames: - - fake - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - gcraccesstoken - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - shortNames: - - gcraccesstoken - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - githubaccesstoken - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - shortNames: - - githubaccesstoken - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - properties: - secretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - url: - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - password - kind: Password - listKind: PasswordList - plural: passwords - shortNames: - - password - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - pushsecrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' - enum: - - Delete - - None - type: string - refreshInterval: - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - properties: - kind: - default: SecretStore - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - properties: - secret: - description: Select a Secret to Push. - properties: - name: - description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. - type: string - required: - - name - type: object - required: - - secret - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - vaultdynamicsecret - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - shortNames: - - vaultdynamicsecret - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - enum: - - Data - - Auth - type: string - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - webhook - kind: Webhook - listKind: WebhookList - plural: webhooks - shortNames: - - webhookl - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-view - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-edit - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: common-golang-external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: common-golang-external-secrets-controller -subjects: - - name: common-golang-external-secrets - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: common-golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: common-golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: common-golang-external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: common-golang-external-secrets - namespace: default ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: 10250 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=common-golang-external-secrets-webhook - - --service-namespace=default - - --secret-name=common-golang-external-secrets-webhook - - --secret-namespace=default - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: common-golang-external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=common-golang-external-secrets-webhook.default.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: common-golang-external-secrets-webhook ---- -# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.hub.example.com - path: secret - # Version of KV backend - version: v2 - - caProvider: - type: ConfigMap - name: kube-root-ca.crt - key: ca.crt - namespace: golang-external-secrets - - auth: - kubernetes: - - mountPath: hub - role: hub-role - - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/tests/common-golang-external-secrets-normal.expected.yaml b/tests/common-golang-external-secrets-normal.expected.yaml deleted file mode 100644 index 056054bad..000000000 --- a/tests/common-golang-external-secrets-normal.expected.yaml +++ /dev/null @@ -1,13143 +0,0 @@ ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: common-golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - acraccesstoken - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - shortNames: - - acraccesstoken - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns a Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - Configuration used to authenticate with Azure using static - credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - items: - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - properties: - message: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - ecrauthorizationtoken - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - shortNames: - - ecrauthorizationtoken - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an - authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Merge - - None - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - fake - kind: Fake - listKind: FakeList - plural: fakes - shortNames: - - fake - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - gcraccesstoken - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - shortNames: - - gcraccesstoken - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - githubaccesstoken - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - shortNames: - - githubaccesstoken - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - properties: - secretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - url: - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - password - kind: Password - listKind: PasswordList - plural: passwords - shortNames: - - password - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - pushsecrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' - enum: - - Delete - - None - type: string - refreshInterval: - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - properties: - kind: - default: SecretStore - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - properties: - secret: - description: Select a Secret to Push. - properties: - name: - description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. - type: string - required: - - name - type: object - required: - - secret - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - vaultdynamicsecret - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - shortNames: - - vaultdynamicsecret - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - enum: - - Data - - Auth - type: string - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - webhook - kind: Webhook - listKind: WebhookList - plural: webhooks - shortNames: - - webhookl - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: common-golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-view - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-edit - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: common-golang-external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: common-golang-external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: common-golang-external-secrets-controller -subjects: - - name: common-golang-external-secrets - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: common-golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: common-golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: common-golang-external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: common-golang-external-secrets - namespace: default ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: 10250 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=common-golang-external-secrets-webhook - - --service-namespace=default - - --secret-name=common-golang-external-secrets-webhook - - --secret-namespace=default - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: common-golang-external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: common-golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=common-golang-external-secrets-webhook.default.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: common-golang-external-secrets-webhook ---- -# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.apps.hub.example.com - path: secret - # Version of KV backend - version: v2 - - caProvider: - type: ConfigMap - name: kube-root-ca.crt - key: ca.crt - namespace: golang-external-secrets - - auth: - kubernetes: - - mountPath: hub - role: hub-role - - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: common-golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml deleted file mode 100644 index 14e5c9568..000000000 --- a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,410 +0,0 @@ ---- -# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm ---- -# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: common-hashicorp-vault-config - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } ---- -# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-hashicorp-vault-server-binding - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: common-hashicorp-vault - namespace: pattern-namespace ---- -# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault-internal - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret -spec: - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault-ui - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: common-hashicorp-vault-internal - podManagementPolicy: Parallel - replicas: 1 - updateStrategy: - type: OnDelete - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "common-hashicorp-vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: common-hashicorp-vault - - volumes: - - - name: config - configMap: - name: common-hashicorp-vault-config - - - name: userconfig-vault-secret - secret: - secretName: vault-secret - defaultMode: 420 - - name: home - emptyDir: {} - containers: - - name: vault - - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).common-hashicorp-vault-internal:8201" - - name: HOME - value: "/home/vault" - - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - name: userconfig-vault-secret - readOnly: true - mountPath: /vault/userconfig/vault-secret - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)", - ] - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -# Source: hashicorp-vault/templates/vault-app.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg== - href: 'https://vault-vault.apps.region.example.com' - location: ApplicationMenu - text: 'Vault' ---- -# Source: hashicorp-vault/charts/vault/templates/server-route.yaml -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - host: - to: - kind: Service - name: common-hashicorp-vault - weight: 100 - port: - targetPort: 8200 - tls: - termination: reencrypt ---- -# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: common-hashicorp-vault-server-test - namespace: pattern-namespace - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - volumes: - restartPolicy: Never diff --git a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml deleted file mode 100644 index 14e5c9568..000000000 --- a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,410 +0,0 @@ ---- -# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm ---- -# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: common-hashicorp-vault-config - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } ---- -# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-hashicorp-vault-server-binding - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: common-hashicorp-vault - namespace: pattern-namespace ---- -# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault-internal - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret -spec: - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault-ui - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: common-hashicorp-vault-internal - podManagementPolicy: Parallel - replicas: 1 - updateStrategy: - type: OnDelete - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "common-hashicorp-vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: common-hashicorp-vault - - volumes: - - - name: config - configMap: - name: common-hashicorp-vault-config - - - name: userconfig-vault-secret - secret: - secretName: vault-secret - defaultMode: 420 - - name: home - emptyDir: {} - containers: - - name: vault - - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).common-hashicorp-vault-internal:8201" - - name: HOME - value: "/home/vault" - - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - name: userconfig-vault-secret - readOnly: true - mountPath: /vault/userconfig/vault-secret - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)", - ] - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -# Source: hashicorp-vault/templates/vault-app.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg== - href: 'https://vault-vault.apps.region.example.com' - location: ApplicationMenu - text: 'Vault' ---- -# Source: hashicorp-vault/charts/vault/templates/server-route.yaml -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - host: - to: - kind: Service - name: common-hashicorp-vault - weight: 100 - port: - targetPort: 8200 - tls: - termination: reencrypt ---- -# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: common-hashicorp-vault-server-test - namespace: pattern-namespace - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - volumes: - restartPolicy: Never diff --git a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 14e5c9568..000000000 --- a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,410 +0,0 @@ ---- -# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm ---- -# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: common-hashicorp-vault-config - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } ---- -# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-hashicorp-vault-server-binding - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: common-hashicorp-vault - namespace: pattern-namespace ---- -# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault-internal - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret -spec: - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault-ui - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: common-hashicorp-vault-internal - podManagementPolicy: Parallel - replicas: 1 - updateStrategy: - type: OnDelete - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "common-hashicorp-vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: common-hashicorp-vault - - volumes: - - - name: config - configMap: - name: common-hashicorp-vault-config - - - name: userconfig-vault-secret - secret: - secretName: vault-secret - defaultMode: 420 - - name: home - emptyDir: {} - containers: - - name: vault - - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).common-hashicorp-vault-internal:8201" - - name: HOME - value: "/home/vault" - - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - name: userconfig-vault-secret - readOnly: true - mountPath: /vault/userconfig/vault-secret - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)", - ] - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -# Source: hashicorp-vault/templates/vault-app.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg== - href: 'https://vault-vault.apps.region.example.com' - location: ApplicationMenu - text: 'Vault' ---- -# Source: hashicorp-vault/charts/vault/templates/server-route.yaml -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - host: - to: - kind: Service - name: common-hashicorp-vault - weight: 100 - port: - targetPort: 8200 - tls: - termination: reencrypt ---- -# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: common-hashicorp-vault-server-test - namespace: pattern-namespace - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - volumes: - restartPolicy: Never diff --git a/tests/common-hashicorp-vault-naked.expected.yaml b/tests/common-hashicorp-vault-naked.expected.yaml deleted file mode 100644 index 8003384e6..000000000 --- a/tests/common-hashicorp-vault-naked.expected.yaml +++ /dev/null @@ -1,410 +0,0 @@ ---- -# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: common-hashicorp-vault - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm ---- -# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: common-hashicorp-vault-config - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } ---- -# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-hashicorp-vault-server-binding - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: common-hashicorp-vault - namespace: default ---- -# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault-internal - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret -spec: - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault-ui - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: common-hashicorp-vault - namespace: default - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: common-hashicorp-vault-internal - podManagementPolicy: Parallel - replicas: 1 - updateStrategy: - type: OnDelete - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "common-hashicorp-vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: common-hashicorp-vault - - volumes: - - - name: config - configMap: - name: common-hashicorp-vault-config - - - name: userconfig-vault-secret - secret: - secretName: vault-secret - defaultMode: 420 - - name: home - emptyDir: {} - containers: - - name: vault - - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).common-hashicorp-vault-internal:8201" - - name: HOME - value: "/home/vault" - - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - name: userconfig-vault-secret - readOnly: true - mountPath: /vault/userconfig/vault-secret - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)", - ] - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -# Source: hashicorp-vault/templates/vault-app.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg== - href: 'https://vault-vault.apps.foo.cluster.com' - location: ApplicationMenu - text: 'Vault' ---- -# Source: hashicorp-vault/charts/vault/templates/server-route.yaml -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: common-hashicorp-vault - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - host: - to: - kind: Service - name: common-hashicorp-vault - weight: 100 - port: - targetPort: 8200 - tls: - termination: reencrypt ---- -# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: common-hashicorp-vault-server-test - namespace: default - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://common-hashicorp-vault.default.svc:8200 - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - volumes: - restartPolicy: Never diff --git a/tests/common-hashicorp-vault-normal.expected.yaml b/tests/common-hashicorp-vault-normal.expected.yaml deleted file mode 100644 index 14e5c9568..000000000 --- a/tests/common-hashicorp-vault-normal.expected.yaml +++ /dev/null @@ -1,410 +0,0 @@ ---- -# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm ---- -# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: common-hashicorp-vault-config - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } ---- -# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-hashicorp-vault-server-binding - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: common-hashicorp-vault - namespace: pattern-namespace ---- -# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault-internal - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret -spec: - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: common-hashicorp-vault-ui - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: common-hashicorp-vault-internal - podManagementPolicy: Parallel - replicas: 1 - updateStrategy: - type: OnDelete - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "common-hashicorp-vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: common-hashicorp-vault - - volumes: - - - name: config - configMap: - name: common-hashicorp-vault-config - - - name: userconfig-vault-secret - secret: - secretName: vault-secret - defaultMode: 420 - - name: home - emptyDir: {} - containers: - - name: vault - - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).common-hashicorp-vault-internal:8201" - - name: HOME - value: "/home/vault" - - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - name: userconfig-vault-secret - readOnly: true - mountPath: /vault/userconfig/vault-secret - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)", - ] - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -# Source: hashicorp-vault/templates/vault-app.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg== - href: 'https://vault-vault.apps.region.example.com' - location: ApplicationMenu - text: 'Vault' ---- -# Source: hashicorp-vault/charts/vault/templates/server-route.yaml -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: common-hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: common-hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - host: - to: - kind: Service - name: common-hashicorp-vault - weight: 100 - port: - targetPort: 8200 - tls: - termination: reencrypt ---- -# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: common-hashicorp-vault-server-test - namespace: pattern-namespace - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://common-hashicorp-vault.pattern-namespace.svc:8200 - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - volumes: - restartPolicy: Never diff --git a/tests/common-letsencrypt-industrial-edge-factory.expected.yaml b/tests/common-letsencrypt-industrial-edge-factory.expected.yaml deleted file mode 100644 index b5aded2f0..000000000 --- a/tests/common-letsencrypt-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.region.example.com - servingCertificate: - name: api-validated-patterns-letsencrypt-cert ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - - "--dns01-recursive-nameservers-only" ---- -# Source: letsencrypt/templates/api-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: 'api.region.example.com' - usages: - - server auth - dnsNames: - - api.region.example.com - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/wildcard-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: '*.apps.region.example.com' - usages: - - server auth - dnsNames: - - '*.apps.region.example.com' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: test@example.com - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: eu-central-1 - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key ---- -# Source: letsencrypt/templates/credentials-request.yaml -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "stable-v1" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-industrial-edge-hub.expected.yaml b/tests/common-letsencrypt-industrial-edge-hub.expected.yaml deleted file mode 100644 index b5aded2f0..000000000 --- a/tests/common-letsencrypt-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.region.example.com - servingCertificate: - name: api-validated-patterns-letsencrypt-cert ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - - "--dns01-recursive-nameservers-only" ---- -# Source: letsencrypt/templates/api-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: 'api.region.example.com' - usages: - - server auth - dnsNames: - - api.region.example.com - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/wildcard-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: '*.apps.region.example.com' - usages: - - server auth - dnsNames: - - '*.apps.region.example.com' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: test@example.com - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: eu-central-1 - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key ---- -# Source: letsencrypt/templates/credentials-request.yaml -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "stable-v1" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml b/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index b5aded2f0..000000000 --- a/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.region.example.com - servingCertificate: - name: api-validated-patterns-letsencrypt-cert ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - - "--dns01-recursive-nameservers-only" ---- -# Source: letsencrypt/templates/api-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: 'api.region.example.com' - usages: - - server auth - dnsNames: - - api.region.example.com - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/wildcard-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: '*.apps.region.example.com' - usages: - - server auth - dnsNames: - - '*.apps.region.example.com' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: test@example.com - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: eu-central-1 - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key ---- -# Source: letsencrypt/templates/credentials-request.yaml -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "stable-v1" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-naked.expected.yaml b/tests/common-letsencrypt-naked.expected.yaml deleted file mode 100644 index 73aa94a46..000000000 --- a/tests/common-letsencrypt-naked.expected.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.example.com - servingCertificate: - name: api-validated-patterns-letsencrypt-cert ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - - "--dns01-recursive-nameservers-only" ---- -# Source: letsencrypt/templates/api-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: 'api.example.com' - usages: - - server auth - dnsNames: - - api.example.com - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/wildcard-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: '*.apps.example.com' - usages: - - server auth - dnsNames: - - '*.apps.example.com' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: test@example.com - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: eu-central-1 - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key ---- -# Source: letsencrypt/templates/credentials-request.yaml -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "stable-v1" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-normal.expected.yaml b/tests/common-letsencrypt-normal.expected.yaml deleted file mode 100644 index b5aded2f0..000000000 --- a/tests/common-letsencrypt-normal.expected.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.region.example.com - servingCertificate: - name: api-validated-patterns-letsencrypt-cert ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - - "--dns01-recursive-nameservers-only" ---- -# Source: letsencrypt/templates/api-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: 'api.region.example.com' - usages: - - server auth - dnsNames: - - api.region.example.com - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/wildcard-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: '*.apps.region.example.com' - usages: - - server auth - dnsNames: - - '*.apps.region.example.com' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: test@example.com - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: eu-central-1 - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key ---- -# Source: letsencrypt/templates/credentials-request.yaml -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "stable-v1" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/tests/common-operator-install-industrial-edge-factory.expected.yaml b/tests/common-operator-install-industrial-edge-factory.expected.yaml deleted file mode 100644 index 3dafb50fb..000000000 --- a/tests/common-operator-install-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Source: pattern-install/templates/pattern-operator-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.13 - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName ---- -# Source: pattern-install/templates/pattern.yaml -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: common-operator-install - namespace: openshift-operators -spec: - clusterGroupName: datacenter - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main - multiSourceConfig: - enabled: true ---- -# Source: pattern-install/templates/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: fast - installPlanApproval: Automatic - name: patterns-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/tests/common-operator-install-industrial-edge-hub.expected.yaml b/tests/common-operator-install-industrial-edge-hub.expected.yaml deleted file mode 100644 index 3dafb50fb..000000000 --- a/tests/common-operator-install-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Source: pattern-install/templates/pattern-operator-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.13 - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName ---- -# Source: pattern-install/templates/pattern.yaml -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: common-operator-install - namespace: openshift-operators -spec: - clusterGroupName: datacenter - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main - multiSourceConfig: - enabled: true ---- -# Source: pattern-install/templates/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: fast - installPlanApproval: Automatic - name: patterns-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/tests/common-operator-install-medical-diagnosis-hub.expected.yaml b/tests/common-operator-install-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 3dafb50fb..000000000 --- a/tests/common-operator-install-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Source: pattern-install/templates/pattern-operator-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.13 - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName ---- -# Source: pattern-install/templates/pattern.yaml -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: common-operator-install - namespace: openshift-operators -spec: - clusterGroupName: datacenter - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main - multiSourceConfig: - enabled: true ---- -# Source: pattern-install/templates/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: fast - installPlanApproval: Automatic - name: patterns-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/tests/common-operator-install-naked.expected.yaml b/tests/common-operator-install-naked.expected.yaml deleted file mode 100644 index 7466acc4e..000000000 --- a/tests/common-operator-install-naked.expected.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Source: pattern-install/templates/pattern-operator-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.13 - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName ---- -# Source: pattern-install/templates/pattern.yaml -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: common-operator-install - namespace: openshift-operators -spec: - clusterGroupName: default - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main - multiSourceConfig: - enabled: false ---- -# Source: pattern-install/templates/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: fast - installPlanApproval: Automatic - name: patterns-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/tests/common-operator-install-normal.expected.yaml b/tests/common-operator-install-normal.expected.yaml deleted file mode 100644 index 3dafb50fb..000000000 --- a/tests/common-operator-install-normal.expected.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Source: pattern-install/templates/pattern-operator-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.13 - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName ---- -# Source: pattern-install/templates/pattern.yaml -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: common-operator-install - namespace: openshift-operators -spec: - clusterGroupName: datacenter - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main - multiSourceConfig: - enabled: true ---- -# Source: pattern-install/templates/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: fast - installPlanApproval: Automatic - name: patterns-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/tests/datacenter-external-secrets-industrial-edge-factory.expected.yaml b/tests/datacenter-external-secrets-industrial-edge-factory.expected.yaml deleted file mode 100644 index 503fbfa58..000000000 --- a/tests/datacenter-external-secrets-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,133 +0,0 @@ ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: external-secrets -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: manuela-data-lake -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: manuela-tst-all -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/secret-git-repo-credentials.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: git-repo-credentials - namespace: manuela-ci -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: git-repo-credentials - template: - metadata: - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/git-0: https://github.com/PLAINTEXT - type: kubernetes.io/basic-auth - dataFrom: - - extract: - key: secret/data/hub/git ---- -# Source: external-secrets-install/templates/secret-image-registry-credentials.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: image-registry-credentials - namespace: manuela-ci -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: image-registry-credentials - template: - metadata: - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/docker-0: https://quay.io - type: kubernetes.io/basic-auth - dataFrom: - - extract: - key: secret/data/hub/imageregistry diff --git a/tests/datacenter-external-secrets-industrial-edge-hub.expected.yaml b/tests/datacenter-external-secrets-industrial-edge-hub.expected.yaml deleted file mode 100644 index 503fbfa58..000000000 --- a/tests/datacenter-external-secrets-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,133 +0,0 @@ ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: external-secrets -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: manuela-data-lake -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: manuela-tst-all -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/secret-git-repo-credentials.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: git-repo-credentials - namespace: manuela-ci -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: git-repo-credentials - template: - metadata: - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/git-0: https://github.com/PLAINTEXT - type: kubernetes.io/basic-auth - dataFrom: - - extract: - key: secret/data/hub/git ---- -# Source: external-secrets-install/templates/secret-image-registry-credentials.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: image-registry-credentials - namespace: manuela-ci -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: image-registry-credentials - template: - metadata: - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/docker-0: https://quay.io - type: kubernetes.io/basic-auth - dataFrom: - - extract: - key: secret/data/hub/imageregistry diff --git a/tests/datacenter-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/datacenter-external-secrets-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 503fbfa58..000000000 --- a/tests/datacenter-external-secrets-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,133 +0,0 @@ ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: external-secrets -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: manuela-data-lake -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: manuela-tst-all -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/secret-git-repo-credentials.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: git-repo-credentials - namespace: manuela-ci -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: git-repo-credentials - template: - metadata: - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/git-0: https://github.com/PLAINTEXT - type: kubernetes.io/basic-auth - dataFrom: - - extract: - key: secret/data/hub/git ---- -# Source: external-secrets-install/templates/secret-image-registry-credentials.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: image-registry-credentials - namespace: manuela-ci -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: image-registry-credentials - template: - metadata: - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/docker-0: https://quay.io - type: kubernetes.io/basic-auth - dataFrom: - - extract: - key: secret/data/hub/imageregistry diff --git a/tests/datacenter-external-secrets-naked.expected.yaml b/tests/datacenter-external-secrets-naked.expected.yaml deleted file mode 100644 index 503fbfa58..000000000 --- a/tests/datacenter-external-secrets-naked.expected.yaml +++ /dev/null @@ -1,133 +0,0 @@ ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: external-secrets -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: manuela-data-lake -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: manuela-tst-all -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/secret-git-repo-credentials.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: git-repo-credentials - namespace: manuela-ci -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: git-repo-credentials - template: - metadata: - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/git-0: https://github.com/PLAINTEXT - type: kubernetes.io/basic-auth - dataFrom: - - extract: - key: secret/data/hub/git ---- -# Source: external-secrets-install/templates/secret-image-registry-credentials.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: image-registry-credentials - namespace: manuela-ci -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: image-registry-credentials - template: - metadata: - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/docker-0: https://quay.io - type: kubernetes.io/basic-auth - dataFrom: - - extract: - key: secret/data/hub/imageregistry diff --git a/tests/datacenter-external-secrets-normal.expected.yaml b/tests/datacenter-external-secrets-normal.expected.yaml deleted file mode 100644 index 503fbfa58..000000000 --- a/tests/datacenter-external-secrets-normal.expected.yaml +++ /dev/null @@ -1,133 +0,0 @@ ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: external-secrets -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: manuela-data-lake -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/s3-secret.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: s3-secret - namespace: manuela-tst-all -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: s3-secret - creationPolicy: Owner - template: - type: Opaque - data: - "application.properties": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - "s3Secret": "{{ cat `s3.accessKey:` .awsAccessKeyId `\ns3.secretKey:` .awsSecretAccessKey }}" - data: - - secretKey: "awsAccessKeyId" - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: "awsSecretAccessKey" - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key ---- -# Source: external-secrets-install/templates/secret-git-repo-credentials.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: git-repo-credentials - namespace: manuela-ci -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: git-repo-credentials - template: - metadata: - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/git-0: https://github.com/PLAINTEXT - type: kubernetes.io/basic-auth - dataFrom: - - extract: - key: secret/data/hub/git ---- -# Source: external-secrets-install/templates/secret-image-registry-credentials.yaml -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: image-registry-credentials - namespace: manuela-ci -spec: - refreshInterval: 15s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: image-registry-credentials - template: - metadata: - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/docker-0: https://quay.io - type: kubernetes.io/basic-auth - dataFrom: - - extract: - key: secret/data/hub/imageregistry diff --git a/tests/datacenter-manuela-data-lake-industrial-edge-factory.expected.yaml b/tests/datacenter-manuela-data-lake-industrial-edge-factory.expected.yaml deleted file mode 100644 index bea507386..000000000 --- a/tests/datacenter-manuela-data-lake-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,264 +0,0 @@ ---- -# Source: manuela-data-lake/templates/central-s3-store/kafka-to-s3-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kafka-to-s3-config - namespace: manuela-data-lake -data: - application.properties: | - - kafka.broker.uri=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092 - kafka.broker.topic.temperature=manuela-factory.iot-sensor-sw-temperature - kafka.broker.topic.vibration=manuela-factory.iot-sensor-sw-vibration - - s3.region=AWSREGION - s3.bucket.name=BUCKETNAME - s3.message.aggregation.count=50 - s3.custom.endpoint.enabled=false - # Convert this directory into a helm chart and use templating to set this - s3.custom.endpoint.url=s3-openshift-storage.apps.region.example.com ---- -# Source: manuela-data-lake/templates/central-s3-store/kafka-to-s3-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: kafka-to-s3-integration - namespace: manuela-data-lake - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: kafka-to-s3-config - - type: secret - value: s3-secret - profile: OpenShift - sources: - - content: | - // dependency=camel:camel-endpointdsl - package com.redhat.manuela.routes; - import java.io.ByteArrayInputStream; - import java.util.Iterator; - import java.util.List; - - import org.apache.camel.Exchange; - import org.apache.camel.Processor; - import org.apache.camel.PropertyInject; - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.aws2.s3.AWS2S3Constants; - import org.apache.camel.builder.endpoint.dsl.AWS2S3EndpointBuilderFactory; - import org.apache.camel.model.OnCompletionDefinition; - import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - public class Kafka2S3Route extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(Kafka2S3Route.class); - - @PropertyInject("s3.custom.endpoint.enabled") - private String s3_custom_endpoint_enabled; - - @PropertyInject("s3.custom.endpoint.url") - private String s3_custom_endpoint_url; - - @PropertyInject("s3.accessKey") - private String s3_accessKey; - @PropertyInject("s3.secretKey") - private String s3_secretKey; - @PropertyInject("s3.message.aggregation.count") - private String s3_message_aggregation_count; - - @PropertyInject("s3.region") - private String s3_region; - @Override - public void configure() throws Exception { - storeTemperatureInS3(); - storeVibrationInS3(); - } - - private void storeVibrationInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String endpoint = "&uriEndpointOverride=" + s3_custom_endpoint_url; - String s3params = key - + endpoint - + secret - + region; - - from("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-prod-vibration-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded from [ ${headers[kafka.KEY]} ] Vibration dataset to S3"); - } - private void storeTemperatureInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String endpoint = "&uriEndpointOverride=" + s3_custom_endpoint_url; - String s3params = key - + endpoint - + secret - + region; - from("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-prod-temperature-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded Temperature from [ ${headers[kafka.KEY]} ] dataset to S3"); - } - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: Kafka2S3Route.java ---- -# Source: manuela-data-lake/templates/central-s3-store/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/ga/all@id=redhat.ea ---- -# Source: manuela-data-lake/templates/manuela-kafka-cluster/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: prod-kafka-cluster - namespace: manuela-data-lake - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-secret-data-lake-placement-binding -placementRef: - name: factory-secret-data-lake-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-secret-data-lake-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -# We need to run this on any managed cluster but not on the HUB -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-secret-data-lake-placement -spec: - clusterSelector: { - "matchExpressions": [ - { - "key": "vendor", - "operator": "In", - "values": [ - "OpenShift" - ] - } - ] -} ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: manuela-data-lake.factory-secret-data-lake-policy -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-secret-data-lake - annotations: - apps.open-cluster-management.io/deployables: "secret" - spec: - remediationAction: enforce - severity: med - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - type: Opaque - metadata: - name: prod-kafka-cluster-cluster-ca-cert - namespace: manuela-stormshift-messaging - apiVersion: v1 - data: - ca.crt: '{{hub index (lookup "v1" "Secret" "manuela-data-lake" "prod-kafka-cluster-cluster-ca-cert").data "ca.crt" hub}}' diff --git a/tests/datacenter-manuela-data-lake-industrial-edge-hub.expected.yaml b/tests/datacenter-manuela-data-lake-industrial-edge-hub.expected.yaml deleted file mode 100644 index 96427f72f..000000000 --- a/tests/datacenter-manuela-data-lake-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,267 +0,0 @@ ---- -# Source: manuela-data-lake/templates/central-s3-store/kafka-to-s3-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kafka-to-s3-config - namespace: manuela-data-lake -data: - application.properties: | - - kafka.broker.uri=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092 - kafka.broker.topic.temperature=manuela-factory.iot-sensor-sw-temperature - kafka.broker.topic.vibration=manuela-factory.iot-sensor-sw-vibration - - s3.region=AWSREGION - s3.bucket.name=BUCKETNAME - s3.message.aggregation.count=50 - s3.custom.endpoint.enabled=false - # Convert this directory into a helm chart and use templating to set this - s3.custom.endpoint.url=s3-openshift-storage.apps.region.example.com ---- -# Source: manuela-data-lake/templates/central-s3-store/kafka-to-s3-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: kafka-to-s3-integration - namespace: manuela-data-lake - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: kafka-to-s3-config - - type: secret - value: s3-secret - profile: OpenShift - sources: - - content: | - // dependency=camel:camel-endpointdsl - package com.redhat.manuela.routes; - import java.io.ByteArrayInputStream; - import java.util.Iterator; - import java.util.List; - - import org.apache.camel.Exchange; - import org.apache.camel.Processor; - import org.apache.camel.PropertyInject; - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.aws2.s3.AWS2S3Constants; - import org.apache.camel.builder.endpoint.dsl.AWS2S3EndpointBuilderFactory; - import org.apache.camel.model.OnCompletionDefinition; - import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - public class Kafka2S3Route extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(Kafka2S3Route.class); - - @PropertyInject("s3.custom.endpoint.enabled") - private String s3_custom_endpoint_enabled; - - @PropertyInject("s3.custom.endpoint.url") - private String s3_custom_endpoint_url; - - @PropertyInject("s3.accessKey") - private String s3_accessKey; - @PropertyInject("s3.secretKey") - private String s3_secretKey; - @PropertyInject("s3.message.aggregation.count") - private String s3_message_aggregation_count; - - @PropertyInject("s3.region") - private String s3_region; - @Override - public void configure() throws Exception { - storeTemperatureInS3(); - storeVibrationInS3(); - } - - private void storeVibrationInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String endpoint = "&uriEndpointOverride=" + s3_custom_endpoint_url; - String s3params = key - + endpoint - + secret - + region; - - from("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-prod-vibration-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded from [ ${headers[kafka.KEY]} ] Vibration dataset to S3"); - } - private void storeTemperatureInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String endpoint = "&uriEndpointOverride=" + s3_custom_endpoint_url; - String s3params = key - + endpoint - + secret - + region; - from("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-prod-temperature-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded Temperature from [ ${headers[kafka.KEY]} ] dataset to S3"); - } - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: Kafka2S3Route.java ---- -# Source: manuela-data-lake/templates/central-s3-store/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/ga/all@id=redhat.ea ---- -# Source: manuela-data-lake/templates/manuela-kafka-cluster/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: prod-kafka-cluster - namespace: manuela-data-lake - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-secret-data-lake-placement-binding -placementRef: - name: factory-secret-data-lake-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-secret-data-lake-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -# We need to run this on any managed cluster but not on the HUB -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-secret-data-lake-placement -spec: - clusterSelector: { - "matchExpressions": [ - { - "key": "vendor", - "operator": "In", - "values": [ - "OpenShift" - ] - } - ], - "matchLabels": { - "clusterGroup": "factory" - } -} ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: manuela-data-lake.factory-secret-data-lake-policy -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-secret-data-lake - annotations: - apps.open-cluster-management.io/deployables: "secret" - spec: - remediationAction: enforce - severity: med - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - type: Opaque - metadata: - name: prod-kafka-cluster-cluster-ca-cert - namespace: manuela-stormshift-messaging - apiVersion: v1 - data: - ca.crt: '{{hub index (lookup "v1" "Secret" "manuela-data-lake" "prod-kafka-cluster-cluster-ca-cert").data "ca.crt" hub}}' diff --git a/tests/datacenter-manuela-data-lake-medical-diagnosis-hub.expected.yaml b/tests/datacenter-manuela-data-lake-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 0d008ad82..000000000 --- a/tests/datacenter-manuela-data-lake-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,323 +0,0 @@ ---- -# Source: manuela-data-lake/templates/central-s3-store/kafka-to-s3-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kafka-to-s3-config - namespace: manuela-data-lake -data: - application.properties: | - - kafka.broker.uri=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092 - kafka.broker.topic.temperature=manuela-factory.iot-sensor-sw-temperature - kafka.broker.topic.vibration=manuela-factory.iot-sensor-sw-vibration - - s3.region=AWSREGION - s3.bucket.name=BUCKETNAME - s3.message.aggregation.count=50 - s3.custom.endpoint.enabled=false - # Convert this directory into a helm chart and use templating to set this - s3.custom.endpoint.url=s3-openshift-storage.apps.region.example.com ---- -# Source: manuela-data-lake/templates/central-s3-store/kafka-to-s3-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: kafka-to-s3-integration - namespace: manuela-data-lake - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: kafka-to-s3-config - - type: secret - value: s3-secret - profile: OpenShift - sources: - - content: | - // dependency=camel:camel-endpointdsl - package com.redhat.manuela.routes; - import java.io.ByteArrayInputStream; - import java.util.Iterator; - import java.util.List; - - import org.apache.camel.Exchange; - import org.apache.camel.Processor; - import org.apache.camel.PropertyInject; - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.aws2.s3.AWS2S3Constants; - import org.apache.camel.builder.endpoint.dsl.AWS2S3EndpointBuilderFactory; - import org.apache.camel.model.OnCompletionDefinition; - import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - public class Kafka2S3Route extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(Kafka2S3Route.class); - - @PropertyInject("s3.custom.endpoint.enabled") - private String s3_custom_endpoint_enabled; - - @PropertyInject("s3.custom.endpoint.url") - private String s3_custom_endpoint_url; - - @PropertyInject("s3.accessKey") - private String s3_accessKey; - @PropertyInject("s3.secretKey") - private String s3_secretKey; - @PropertyInject("s3.message.aggregation.count") - private String s3_message_aggregation_count; - - @PropertyInject("s3.region") - private String s3_region; - @Override - public void configure() throws Exception { - storeTemperatureInS3(); - storeVibrationInS3(); - } - - private void storeVibrationInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String endpoint = "&uriEndpointOverride=" + s3_custom_endpoint_url; - String s3params = key - + endpoint - + secret - + region; - - from("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-prod-vibration-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded from [ ${headers[kafka.KEY]} ] Vibration dataset to S3"); - } - private void storeTemperatureInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String endpoint = "&uriEndpointOverride=" + s3_custom_endpoint_url; - String s3params = key - + endpoint - + secret - + region; - from("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-prod-temperature-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded Temperature from [ ${headers[kafka.KEY]} ] dataset to S3"); - } - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: Kafka2S3Route.java ---- -# Source: manuela-data-lake/templates/central-s3-store/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/ga/all@id=redhat.ea ---- -# Source: manuela-data-lake/templates/manuela-kafka-cluster/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: prod-kafka-cluster - namespace: manuela-data-lake - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-secret-data-lake-placement-binding -placementRef: - name: factory-secret-data-lake-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-secret-data-lake-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-secret-data-lake-placement-binding -placementRef: - name: factory-secret-data-lake-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-secret-data-lake-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -# We need to run this on any managed cluster but not on the HUB -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-secret-data-lake-placement -spec: - clusterSelector: { - "matchLabels": { - "clusterGroup": "region-one" - } -} ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: manuela-data-lake.factory-secret-data-lake-policy -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-secret-data-lake - annotations: - apps.open-cluster-management.io/deployables: "secret" - spec: - remediationAction: enforce - severity: med - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - type: Opaque - metadata: - name: prod-kafka-cluster-cluster-ca-cert - namespace: manuela-stormshift-messaging - apiVersion: v1 - data: - ca.crt: '{{hub index (lookup "v1" "Secret" "manuela-data-lake" "prod-kafka-cluster-cluster-ca-cert").data "ca.crt" hub}}' ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -# We need to run this on any managed cluster but not on the HUB -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-secret-data-lake-placement -spec: - clusterSelector: { - "matchExpressions": [ - { - "key": "vendor", - "operator": "In", - "values": [ - "OpenShift" - ] - } - ] -} -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: manuela-data-lake.factory-secret-data-lake-policy -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-secret-data-lake - annotations: - apps.open-cluster-management.io/deployables: "secret" - spec: - remediationAction: enforce - severity: med - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - type: Opaque - metadata: - name: prod-kafka-cluster-cluster-ca-cert - namespace: manuela-stormshift-messaging - apiVersion: v1 - data: - ca.crt: '{{hub index (lookup "v1" "Secret" "manuela-data-lake" "prod-kafka-cluster-cluster-ca-cert").data "ca.crt" hub}}' diff --git a/tests/datacenter-manuela-data-lake-naked.expected.yaml b/tests/datacenter-manuela-data-lake-naked.expected.yaml deleted file mode 100644 index ce1bd3a50..000000000 --- a/tests/datacenter-manuela-data-lake-naked.expected.yaml +++ /dev/null @@ -1,264 +0,0 @@ ---- -# Source: manuela-data-lake/templates/central-s3-store/kafka-to-s3-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kafka-to-s3-config - namespace: manuela-data-lake -data: - application.properties: | - - kafka.broker.uri=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092 - kafka.broker.topic.temperature=manuela-factory.iot-sensor-sw-temperature - kafka.broker.topic.vibration=manuela-factory.iot-sensor-sw-vibration - - s3.region=AWSREGION - s3.bucket.name=BUCKETNAME - s3.message.aggregation.count=50 - s3.custom.endpoint.enabled=false - # Convert this directory into a helm chart and use templating to set this - s3.custom.endpoint.url=s3-openshift-storage. ---- -# Source: manuela-data-lake/templates/central-s3-store/kafka-to-s3-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: kafka-to-s3-integration - namespace: manuela-data-lake - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: kafka-to-s3-config - - type: secret - value: s3-secret - profile: OpenShift - sources: - - content: | - // dependency=camel:camel-endpointdsl - package com.redhat.manuela.routes; - import java.io.ByteArrayInputStream; - import java.util.Iterator; - import java.util.List; - - import org.apache.camel.Exchange; - import org.apache.camel.Processor; - import org.apache.camel.PropertyInject; - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.aws2.s3.AWS2S3Constants; - import org.apache.camel.builder.endpoint.dsl.AWS2S3EndpointBuilderFactory; - import org.apache.camel.model.OnCompletionDefinition; - import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - public class Kafka2S3Route extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(Kafka2S3Route.class); - - @PropertyInject("s3.custom.endpoint.enabled") - private String s3_custom_endpoint_enabled; - - @PropertyInject("s3.custom.endpoint.url") - private String s3_custom_endpoint_url; - - @PropertyInject("s3.accessKey") - private String s3_accessKey; - @PropertyInject("s3.secretKey") - private String s3_secretKey; - @PropertyInject("s3.message.aggregation.count") - private String s3_message_aggregation_count; - - @PropertyInject("s3.region") - private String s3_region; - @Override - public void configure() throws Exception { - storeTemperatureInS3(); - storeVibrationInS3(); - } - - private void storeVibrationInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String endpoint = "&uriEndpointOverride=" + s3_custom_endpoint_url; - String s3params = key - + endpoint - + secret - + region; - - from("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-prod-vibration-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded from [ ${headers[kafka.KEY]} ] Vibration dataset to S3"); - } - private void storeTemperatureInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String endpoint = "&uriEndpointOverride=" + s3_custom_endpoint_url; - String s3params = key - + endpoint - + secret - + region; - from("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-prod-temperature-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded Temperature from [ ${headers[kafka.KEY]} ] dataset to S3"); - } - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: Kafka2S3Route.java ---- -# Source: manuela-data-lake/templates/central-s3-store/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/ga/all@id=redhat.ea ---- -# Source: manuela-data-lake/templates/manuela-kafka-cluster/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: prod-kafka-cluster - namespace: manuela-data-lake - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-secret-data-lake-placement-binding -placementRef: - name: factory-secret-data-lake-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-secret-data-lake-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -# We need to run this on any managed cluster but not on the HUB -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-secret-data-lake-placement -spec: - clusterSelector: { - "matchExpressions": [ - { - "key": "vendor", - "operator": "In", - "values": [ - "OpenShift" - ] - } - ] -} ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: manuela-data-lake.factory-secret-data-lake-policy -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-secret-data-lake - annotations: - apps.open-cluster-management.io/deployables: "secret" - spec: - remediationAction: enforce - severity: med - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - type: Opaque - metadata: - name: prod-kafka-cluster-cluster-ca-cert - namespace: manuela-stormshift-messaging - apiVersion: v1 - data: - ca.crt: '{{hub index (lookup "v1" "Secret" "manuela-data-lake" "prod-kafka-cluster-cluster-ca-cert").data "ca.crt" hub}}' diff --git a/tests/datacenter-manuela-data-lake-normal.expected.yaml b/tests/datacenter-manuela-data-lake-normal.expected.yaml deleted file mode 100644 index d707c001a..000000000 --- a/tests/datacenter-manuela-data-lake-normal.expected.yaml +++ /dev/null @@ -1,423 +0,0 @@ ---- -# Source: manuela-data-lake/templates/central-s3-store/kafka-to-s3-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kafka-to-s3-config - namespace: manuela-data-lake -data: - application.properties: | - - kafka.broker.uri=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092 - kafka.broker.topic.temperature=manuela-factory.iot-sensor-sw-temperature - kafka.broker.topic.vibration=manuela-factory.iot-sensor-sw-vibration - - s3.region=AWSREGION - s3.bucket.name=BUCKETNAME - s3.message.aggregation.count=50 - s3.custom.endpoint.enabled=false - # Convert this directory into a helm chart and use templating to set this - s3.custom.endpoint.url=s3-openshift-storage.apps.region.example.com ---- -# Source: manuela-data-lake/templates/central-s3-store/kafka-to-s3-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: kafka-to-s3-integration - namespace: manuela-data-lake - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: kafka-to-s3-config - - type: secret - value: s3-secret - profile: OpenShift - sources: - - content: | - // dependency=camel:camel-endpointdsl - package com.redhat.manuela.routes; - import java.io.ByteArrayInputStream; - import java.util.Iterator; - import java.util.List; - - import org.apache.camel.Exchange; - import org.apache.camel.Processor; - import org.apache.camel.PropertyInject; - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.aws2.s3.AWS2S3Constants; - import org.apache.camel.builder.endpoint.dsl.AWS2S3EndpointBuilderFactory; - import org.apache.camel.model.OnCompletionDefinition; - import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - public class Kafka2S3Route extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(Kafka2S3Route.class); - - @PropertyInject("s3.custom.endpoint.enabled") - private String s3_custom_endpoint_enabled; - - @PropertyInject("s3.custom.endpoint.url") - private String s3_custom_endpoint_url; - - @PropertyInject("s3.accessKey") - private String s3_accessKey; - @PropertyInject("s3.secretKey") - private String s3_secretKey; - @PropertyInject("s3.message.aggregation.count") - private String s3_message_aggregation_count; - - @PropertyInject("s3.region") - private String s3_region; - @Override - public void configure() throws Exception { - storeTemperatureInS3(); - storeVibrationInS3(); - } - - private void storeVibrationInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String endpoint = "&uriEndpointOverride=" + s3_custom_endpoint_url; - String s3params = key - + endpoint - + secret - + region; - - from("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-prod-vibration-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded from [ ${headers[kafka.KEY]} ] Vibration dataset to S3"); - } - private void storeTemperatureInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String endpoint = "&uriEndpointOverride=" + s3_custom_endpoint_url; - String s3params = key - + endpoint - + secret - + region; - from("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=prod-kafka-cluster-kafka-bootstrap.manuela-data-lake.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-prod-temperature-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded Temperature from [ ${headers[kafka.KEY]} ] dataset to S3"); - } - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: Kafka2S3Route.java ---- -# Source: manuela-data-lake/templates/central-s3-store/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/ga/all@id=redhat.ea ---- -# Source: manuela-data-lake/templates/manuela-kafka-cluster/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: prod-kafka-cluster - namespace: manuela-data-lake - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-secret-data-lake-placement-binding -placementRef: - name: factory-secret-data-lake-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-secret-data-lake-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-secret-data-lake-placement-binding -placementRef: - name: factory-secret-data-lake-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-secret-data-lake-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-secret-data-lake-placement-binding -placementRef: - name: factory-secret-data-lake-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-secret-data-lake-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-secret-data-lake-placement-binding -placementRef: - name: factory-secret-data-lake-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-secret-data-lake-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -# We need to run this on any managed cluster but not on the HUB -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-secret-data-lake-placement -spec: - clusterSelector: - matchLabels: ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: manuela-data-lake.factory-secret-data-lake-policy -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-secret-data-lake - annotations: - apps.open-cluster-management.io/deployables: "secret" - spec: - remediationAction: enforce - severity: med - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - type: Opaque - metadata: - name: prod-kafka-cluster-cluster-ca-cert - namespace: manuela-stormshift-messaging - apiVersion: v1 - data: - ca.crt: '{{hub index (lookup "v1" "Secret" "manuela-data-lake" "prod-kafka-cluster-cluster-ca-cert").data "ca.crt" hub}}' ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -# We need to run this on any managed cluster but not on the HUB -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-secret-data-lake-placement -spec: - clusterSelector: - matchLabels: -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: manuela-data-lake.factory-secret-data-lake-policy -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-secret-data-lake - annotations: - apps.open-cluster-management.io/deployables: "secret" - spec: - remediationAction: enforce - severity: med - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - type: Opaque - metadata: - name: prod-kafka-cluster-cluster-ca-cert - namespace: manuela-stormshift-messaging - apiVersion: v1 - data: - ca.crt: '{{hub index (lookup "v1" "Secret" "manuela-data-lake" "prod-kafka-cluster-cluster-ca-cert").data "ca.crt" hub}}' ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -# We need to run this on any managed cluster but not on the HUB -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-secret-data-lake-placement -spec: - clusterSelector: - matchLabels: -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: manuela-data-lake.factory-secret-data-lake-policy -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-secret-data-lake - annotations: - apps.open-cluster-management.io/deployables: "secret" - spec: - remediationAction: enforce - severity: med - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - type: Opaque - metadata: - name: prod-kafka-cluster-cluster-ca-cert - namespace: manuela-stormshift-messaging - apiVersion: v1 - data: - ca.crt: '{{hub index (lookup "v1" "Secret" "manuela-data-lake" "prod-kafka-cluster-cluster-ca-cert").data "ca.crt" hub}}' ---- -# Source: manuela-data-lake/templates/factory-data-lake-secret-policy.yaml -# We need to run this on any managed cluster but not on the HUB -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-secret-data-lake-placement -spec: - clusterSelector: - matchLabels: -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: manuela-data-lake.factory-secret-data-lake-policy -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-secret-data-lake - annotations: - apps.open-cluster-management.io/deployables: "secret" - spec: - remediationAction: enforce - severity: med - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - type: Opaque - metadata: - name: prod-kafka-cluster-cluster-ca-cert - namespace: manuela-stormshift-messaging - apiVersion: v1 - data: - ca.crt: '{{hub index (lookup "v1" "Secret" "manuela-data-lake" "prod-kafka-cluster-cluster-ca-cert").data "ca.crt" hub}}' diff --git a/tests/datacenter-manuela-tst-industrial-edge-factory.expected.yaml b/tests/datacenter-manuela-tst-industrial-edge-factory.expected.yaml deleted file mode 100644 index 7dc410dac..000000000 --- a/tests/datacenter-manuela-tst-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,991 +0,0 @@ ---- -# Source: manuela-tst-all/templates/development-s3-store/kafka-to-s3-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kafka-to-s3-config - namespace: manuela-tst-all -data: - application.properties: | - - kafka.broker.uri=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092 - kafka.broker.topic.temperature=iot-sensor-sw-temperature - kafka.broker.topic.vibration=iot-sensor-sw-vibration - - local.cluster.name=apps.region.example.com - s3.region=AWSREGION - s3.bucket.name=BUCKETNAME - s3.message.aggregation.count=50 - s3.custom.endpoint.enabled=false - # Convert this directory into a helm chart and use templating to set this - s3.custom.endpoint.url=s3-openshift-storage.apps.region.example.com ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-configmap.config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: line-dashboard-configmap - namespace: manuela-tst-all - labels: - app.kubernetes.io/instance: manuela-tst-all -data: - "config.json": |- - { - "websocketHost": "http://messaging-manuela-tst-all.apps.region.example.com", - "websocketPath": "/api/service-web/socket", - "SERVER_TIMEOUT": "20000" - } ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-1-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-1 -data: - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-tst-all.apps.region.example.com - #broker-amq-mqtt-all-0-svc-rte-manuela-tst-all - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc.manuela-tst-all.svc" - #MQTT_PORT: "80" - #MQTT_PORT: "61616" - - - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-1" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - MQTT_PASSWORD: "iotuser" - MQTT_PORT: "61616" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "18" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "15" - SENSOR_VIBRATION_PEAKINTETVAL: "20" ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-2-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-2 -data: - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-2" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - MQTT_PASSWORD: "iotuser" - MQTT_PORT: "61616" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "true" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "true" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "true" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "17" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "12" - SENSOR_VIBRATION_PEAKINTETVAL: "200" ---- -# Source: manuela-tst-all/templates/messaging-kafka/mqtt2kafka-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: mqtt2kafka-config - namespace: manuela-tst-all -# DO NOT DELETE. NEEDED BY THE mqtt2kafka-integration SERVICE ---- -# Source: manuela-tst-all/templates/messaging/messaging-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: messaging-configmap -data: - VIBRATION_ALERT_ENABLED: "true" - VIBRATION_ANOMALY_ENABLED: "true" - NODE_TLS_REJECT_UNAUTHORIZED: "0" - MQTT_BROKER: "ws://broker-amq-mqtt-all-0-svc:61616" - MQTT_PASSWORD: "iotuser" - MQTT_USER: "iotuser" - PORT: "3000" - SOCKET_PATH: "/api/service-web/socket" - TEMPERATURE_THRESHOLD: "70.0" - TEMPERATURE_ALERT_ENABLED: "true" - TOPIC_GPS: "iot-sensor/sw/gps" - TOPIC_TEMPERATURE: "iot-sensor/sw/temperature" - TOPIC_VIBRATION: "iot-sensor/sw/vibration" - TOPIC_LIGHT: "iot-sensor/sw/light" - ANOMALY_DETECTION_URL: "http://anomaly-detection-predictor:8000" ---- -# Source: manuela-tst-all/templates/system-image-builder-role-binding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: 'system:image-builder' -subjects: - - kind: ServiceAccount - name: pipeline - namespace: manuela-ci -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'system:image-builder' ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: line-dashboard - name: line-dashboard -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: line-dashboard - deploymentconfig: line-dashboard - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-tst-all/templates/messaging/messaging-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: messaging - name: messaging -spec: - ports: - - name: 3000-tcp - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: messaging - deploymentconfig: messaging - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: line-dashboard - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: line-dashboard -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentconfig: line-dashboard - template: - metadata: - creationTimestamp: null - labels: - app: line-dashboard - deploymentconfig: line-dashboard - name: line-dashboard - spec: - containers: - - name: line-dashboard - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - # the following mountpath is used for images which are based on the HTTPD base images, i.e. built using the CI/CD pipelines - - mountPath: /var/www/html/conf/ - name: line-dashboard-configmap-vol - # the following mountpath is used for images based directly on the NodeJS builder image, i.e. when deploying images built in the iotdemo namespace during quickstart - - mountPath: /opt/app-root/output/conf - name: line-dashboard-configmap-vol - #subPath: config.json - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: line-dashboard-configmap-vol - configMap: - defaultMode: 438 - name: line-dashboard-configmap ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-1-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-1 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-1 - namespace: manuela-tst-all -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-1 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 9053bd7786d98f90d46f9d1ddaeaec71b049261c9fed8f4052312a41166d709e - labels: - application: machine-sensor-1 - deploymentConfig: machine-sensor-1 - name: machine-sensor-1 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-2-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-2 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-2 - namespace: manuela-tst-all -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-2 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 24255e5e8b8b64eb5287649203406969f812d66ef6edebfa118af87b748e5d72 - labels: - application: machine-sensor-2 - deploymentConfig: machine-sensor-2 - name: machine-sensor-2 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-2 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-tst-all/templates/messaging/messaging-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: messaging - name: messaging -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: messaging - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: messaging - deploymentconfig: messaging - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging:0.3.2 - imagePullPolicy: Always - name: messaging - ports: - - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: - name: messaging-configmap - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /health - port: 3000 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 ---- -# Source: manuela-tst-all/templates/messaging/amq-broker.yaml -apiVersion: broker.amq.io/v2alpha4 -kind: ActiveMQArtemis -metadata: - name: broker-amq-mqtt - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - deploymentPlan: - size: 1 - image: registry.redhat.io/amq7/amq-broker:7.6 - # requireLogin: false - # persistenceEnabled: false - journalType: nio - messageMigration: false - console: - expose: true - acceptors: - - name: all - port: 61616 - expose: true - # - name: amqp - # protocols: amqp - # port: 5672 - # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: localhost - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ - # - name: mqtt - # protocols: mqtt - # port: 1883 - # # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: broker-amq-mqtt - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ ---- -# Source: manuela-tst-all/templates/anomaly-detection/anomaly-detection-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: anomaly-detection - name: anomaly-detection -spec: - lookupPolicy: - local: false - tags: - - name: "0.3.2" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-anomaly-detection:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: line-dashboard - namespace: manuela-tst-all -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-frontend:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: machine-sensor - namespace: manuela-tst-all -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-software-sensor:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/messaging/messaging-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: messaging -spec: - tags: - - name: 0.3.2 - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-consumer:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/development-s3-store/kafka-to-s3-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: kafka-to-s3-integration - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: kafka-to-s3-config - - type: secret - value: s3-secret - profile: OpenShift - sources: - - content: | - // dependency=camel:camel-endpointdsl - package com.redhat.manuela.routes; - import java.io.ByteArrayInputStream; - import java.util.Iterator; - import java.util.List; - - import org.apache.camel.Exchange; - import org.apache.camel.Processor; - import org.apache.camel.PropertyInject; - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.aws2.s3.AWS2S3Constants; - import org.apache.camel.builder.endpoint.dsl.AWS2S3EndpointBuilderFactory; - import org.apache.camel.model.OnCompletionDefinition; - import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - public class Kafka2S3Route extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(Kafka2S3Route.class); - - @PropertyInject("s3.custom.endpoint.enabled") - private String s3_custom_endpoint_enabled; - - @PropertyInject("s3.custom.endpoint.url") - private String s3_custom_endpoint_url; - - @PropertyInject("s3.accessKey") - private String s3_accessKey; - @PropertyInject("s3.secretKey") - private String s3_secretKey; - @PropertyInject("s3.message.aggregation.count") - private String s3_message_aggregation_count; - - @PropertyInject("s3.region") - private String s3_region; - @Override - public void configure() throws Exception { - storeTemperatureInS3(); - storeVibrationInS3(); - } - private void storeVibrationInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String s3params = key - + secret - + region; - - from("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-dev-vibration-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded from [ ${headers[kafka.KEY]} ] Vibration dataset to S3"); - } - private void storeTemperatureInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String s3params = key - + secret - + region; - from("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-dev-temperature-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded Temperature from [ ${headers[kafka.KEY]} ] dataset to S3"); - } - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: Kafka2S3Route.java ---- -# Source: manuela-tst-all/templates/messaging-kafka/mqtt2kafka-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: mqtt2kafka-integration - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: mqtt2kafka-config - profile: OpenShift - sources: - - content: | - package com.redhat.manuela.routes; - - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.kafka.KafkaConstants; - import org.apache.camel.model.OnCompletionDefinition; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - - public class MQTT2KafkaRoute extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(MQTT2KafkaRoute.class); - - @Override - public void configure() throws Exception { - storeTemperatureInKafka(); - storeVibrationInKafka(); - //readTemperatureFromKafka(); - //readVibrationFromKafka(); - } - - private void storeTemperatureInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/temperature?brokerUrl=tcp://broker-amq-mqtt-all-0-svc.manuela-tst-all.svc:61616&clientId=MQTT2KafkaRouteDev-temp") - .log("Storing temperature message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - //.setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void storeVibrationInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/vibration?brokerUrl=tcp://broker-amq-mqtt-all-0-svc.manuela-tst-all.svc:61616&clientId=MQTT2KafkaRouteDev-vibr") - .log("Storing vibration message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - // .setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void readTemperatureFromKafka() { - from("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - private void readVibrationFromKafka() { - from("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: MQTT2KafkaRoute.java ---- -# Source: manuela-tst-all/templates/messaging-kafka/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/earlyaccess/all@id=redhat.ea ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: dev-kafka-cluster - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-topic-temperature.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-temperature - labels: - strimzi.io/cluster: dev-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-topic-vibration.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-vibration - labels: - strimzi.io/cluster: dev-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-tst-all/templates/anomaly-detection/iot-anomaly-detection-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: anomaly-detection - labels: - component: serving -spec: - port: - targetPort: http - to: - kind: Service - name: anomaly-detection-predictor-anomaly-detection - tls: - insecureEdgeTerminationPolicy: Allow - termination: edge ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: line-dashboard - name: line-dashboard -spec: - port: - targetPort: 8080-tcp - to: - kind: Service - name: line-dashboard - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-tst-all/templates/messaging/messaging-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: messaging - name: messaging -spec: - port: - targetPort: 3000-tcp - to: - kind: Service - name: messaging - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-tst-all/templates/anomaly-detection/iot-anomaly-detection-seldon.yaml -apiVersion: machinelearning.seldon.io/v1 -kind: SeldonDeployment -metadata: - name: anomaly-detection - labels: - component: serving - annotations: - alpha.image.policy.openshift.io/resolve-names: "*" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - annotations: - deployment_version: "1" - name: anomaly-detection - predictors: - - annotations: - predictor_version: "0.1" - componentSpecs: - - spec: - containers: - - name: anomaly-detection - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection:0.3.2 - imagePullPolicy: Always - env: - - name: MODEL_FIILE - value: "model.joblib" - graph: - endpoint: - type: REST - name: anomaly-detection - type: MODEL - name: predictor - replicas: 1 diff --git a/tests/datacenter-manuela-tst-industrial-edge-hub.expected.yaml b/tests/datacenter-manuela-tst-industrial-edge-hub.expected.yaml deleted file mode 100644 index 7dc410dac..000000000 --- a/tests/datacenter-manuela-tst-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,991 +0,0 @@ ---- -# Source: manuela-tst-all/templates/development-s3-store/kafka-to-s3-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kafka-to-s3-config - namespace: manuela-tst-all -data: - application.properties: | - - kafka.broker.uri=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092 - kafka.broker.topic.temperature=iot-sensor-sw-temperature - kafka.broker.topic.vibration=iot-sensor-sw-vibration - - local.cluster.name=apps.region.example.com - s3.region=AWSREGION - s3.bucket.name=BUCKETNAME - s3.message.aggregation.count=50 - s3.custom.endpoint.enabled=false - # Convert this directory into a helm chart and use templating to set this - s3.custom.endpoint.url=s3-openshift-storage.apps.region.example.com ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-configmap.config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: line-dashboard-configmap - namespace: manuela-tst-all - labels: - app.kubernetes.io/instance: manuela-tst-all -data: - "config.json": |- - { - "websocketHost": "http://messaging-manuela-tst-all.apps.region.example.com", - "websocketPath": "/api/service-web/socket", - "SERVER_TIMEOUT": "20000" - } ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-1-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-1 -data: - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-tst-all.apps.region.example.com - #broker-amq-mqtt-all-0-svc-rte-manuela-tst-all - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc.manuela-tst-all.svc" - #MQTT_PORT: "80" - #MQTT_PORT: "61616" - - - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-1" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - MQTT_PASSWORD: "iotuser" - MQTT_PORT: "61616" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "18" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "15" - SENSOR_VIBRATION_PEAKINTETVAL: "20" ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-2-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-2 -data: - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-2" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - MQTT_PASSWORD: "iotuser" - MQTT_PORT: "61616" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "true" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "true" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "true" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "17" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "12" - SENSOR_VIBRATION_PEAKINTETVAL: "200" ---- -# Source: manuela-tst-all/templates/messaging-kafka/mqtt2kafka-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: mqtt2kafka-config - namespace: manuela-tst-all -# DO NOT DELETE. NEEDED BY THE mqtt2kafka-integration SERVICE ---- -# Source: manuela-tst-all/templates/messaging/messaging-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: messaging-configmap -data: - VIBRATION_ALERT_ENABLED: "true" - VIBRATION_ANOMALY_ENABLED: "true" - NODE_TLS_REJECT_UNAUTHORIZED: "0" - MQTT_BROKER: "ws://broker-amq-mqtt-all-0-svc:61616" - MQTT_PASSWORD: "iotuser" - MQTT_USER: "iotuser" - PORT: "3000" - SOCKET_PATH: "/api/service-web/socket" - TEMPERATURE_THRESHOLD: "70.0" - TEMPERATURE_ALERT_ENABLED: "true" - TOPIC_GPS: "iot-sensor/sw/gps" - TOPIC_TEMPERATURE: "iot-sensor/sw/temperature" - TOPIC_VIBRATION: "iot-sensor/sw/vibration" - TOPIC_LIGHT: "iot-sensor/sw/light" - ANOMALY_DETECTION_URL: "http://anomaly-detection-predictor:8000" ---- -# Source: manuela-tst-all/templates/system-image-builder-role-binding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: 'system:image-builder' -subjects: - - kind: ServiceAccount - name: pipeline - namespace: manuela-ci -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'system:image-builder' ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: line-dashboard - name: line-dashboard -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: line-dashboard - deploymentconfig: line-dashboard - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-tst-all/templates/messaging/messaging-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: messaging - name: messaging -spec: - ports: - - name: 3000-tcp - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: messaging - deploymentconfig: messaging - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: line-dashboard - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: line-dashboard -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentconfig: line-dashboard - template: - metadata: - creationTimestamp: null - labels: - app: line-dashboard - deploymentconfig: line-dashboard - name: line-dashboard - spec: - containers: - - name: line-dashboard - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - # the following mountpath is used for images which are based on the HTTPD base images, i.e. built using the CI/CD pipelines - - mountPath: /var/www/html/conf/ - name: line-dashboard-configmap-vol - # the following mountpath is used for images based directly on the NodeJS builder image, i.e. when deploying images built in the iotdemo namespace during quickstart - - mountPath: /opt/app-root/output/conf - name: line-dashboard-configmap-vol - #subPath: config.json - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: line-dashboard-configmap-vol - configMap: - defaultMode: 438 - name: line-dashboard-configmap ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-1-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-1 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-1 - namespace: manuela-tst-all -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-1 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 9053bd7786d98f90d46f9d1ddaeaec71b049261c9fed8f4052312a41166d709e - labels: - application: machine-sensor-1 - deploymentConfig: machine-sensor-1 - name: machine-sensor-1 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-2-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-2 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-2 - namespace: manuela-tst-all -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-2 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 24255e5e8b8b64eb5287649203406969f812d66ef6edebfa118af87b748e5d72 - labels: - application: machine-sensor-2 - deploymentConfig: machine-sensor-2 - name: machine-sensor-2 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-2 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-tst-all/templates/messaging/messaging-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: messaging - name: messaging -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: messaging - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: messaging - deploymentconfig: messaging - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging:0.3.2 - imagePullPolicy: Always - name: messaging - ports: - - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: - name: messaging-configmap - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /health - port: 3000 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 ---- -# Source: manuela-tst-all/templates/messaging/amq-broker.yaml -apiVersion: broker.amq.io/v2alpha4 -kind: ActiveMQArtemis -metadata: - name: broker-amq-mqtt - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - deploymentPlan: - size: 1 - image: registry.redhat.io/amq7/amq-broker:7.6 - # requireLogin: false - # persistenceEnabled: false - journalType: nio - messageMigration: false - console: - expose: true - acceptors: - - name: all - port: 61616 - expose: true - # - name: amqp - # protocols: amqp - # port: 5672 - # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: localhost - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ - # - name: mqtt - # protocols: mqtt - # port: 1883 - # # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: broker-amq-mqtt - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ ---- -# Source: manuela-tst-all/templates/anomaly-detection/anomaly-detection-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: anomaly-detection - name: anomaly-detection -spec: - lookupPolicy: - local: false - tags: - - name: "0.3.2" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-anomaly-detection:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: line-dashboard - namespace: manuela-tst-all -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-frontend:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: machine-sensor - namespace: manuela-tst-all -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-software-sensor:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/messaging/messaging-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: messaging -spec: - tags: - - name: 0.3.2 - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-consumer:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/development-s3-store/kafka-to-s3-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: kafka-to-s3-integration - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: kafka-to-s3-config - - type: secret - value: s3-secret - profile: OpenShift - sources: - - content: | - // dependency=camel:camel-endpointdsl - package com.redhat.manuela.routes; - import java.io.ByteArrayInputStream; - import java.util.Iterator; - import java.util.List; - - import org.apache.camel.Exchange; - import org.apache.camel.Processor; - import org.apache.camel.PropertyInject; - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.aws2.s3.AWS2S3Constants; - import org.apache.camel.builder.endpoint.dsl.AWS2S3EndpointBuilderFactory; - import org.apache.camel.model.OnCompletionDefinition; - import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - public class Kafka2S3Route extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(Kafka2S3Route.class); - - @PropertyInject("s3.custom.endpoint.enabled") - private String s3_custom_endpoint_enabled; - - @PropertyInject("s3.custom.endpoint.url") - private String s3_custom_endpoint_url; - - @PropertyInject("s3.accessKey") - private String s3_accessKey; - @PropertyInject("s3.secretKey") - private String s3_secretKey; - @PropertyInject("s3.message.aggregation.count") - private String s3_message_aggregation_count; - - @PropertyInject("s3.region") - private String s3_region; - @Override - public void configure() throws Exception { - storeTemperatureInS3(); - storeVibrationInS3(); - } - private void storeVibrationInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String s3params = key - + secret - + region; - - from("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-dev-vibration-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded from [ ${headers[kafka.KEY]} ] Vibration dataset to S3"); - } - private void storeTemperatureInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String s3params = key - + secret - + region; - from("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-dev-temperature-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded Temperature from [ ${headers[kafka.KEY]} ] dataset to S3"); - } - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: Kafka2S3Route.java ---- -# Source: manuela-tst-all/templates/messaging-kafka/mqtt2kafka-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: mqtt2kafka-integration - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: mqtt2kafka-config - profile: OpenShift - sources: - - content: | - package com.redhat.manuela.routes; - - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.kafka.KafkaConstants; - import org.apache.camel.model.OnCompletionDefinition; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - - public class MQTT2KafkaRoute extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(MQTT2KafkaRoute.class); - - @Override - public void configure() throws Exception { - storeTemperatureInKafka(); - storeVibrationInKafka(); - //readTemperatureFromKafka(); - //readVibrationFromKafka(); - } - - private void storeTemperatureInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/temperature?brokerUrl=tcp://broker-amq-mqtt-all-0-svc.manuela-tst-all.svc:61616&clientId=MQTT2KafkaRouteDev-temp") - .log("Storing temperature message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - //.setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void storeVibrationInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/vibration?brokerUrl=tcp://broker-amq-mqtt-all-0-svc.manuela-tst-all.svc:61616&clientId=MQTT2KafkaRouteDev-vibr") - .log("Storing vibration message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - // .setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void readTemperatureFromKafka() { - from("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - private void readVibrationFromKafka() { - from("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: MQTT2KafkaRoute.java ---- -# Source: manuela-tst-all/templates/messaging-kafka/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/earlyaccess/all@id=redhat.ea ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: dev-kafka-cluster - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-topic-temperature.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-temperature - labels: - strimzi.io/cluster: dev-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-topic-vibration.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-vibration - labels: - strimzi.io/cluster: dev-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-tst-all/templates/anomaly-detection/iot-anomaly-detection-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: anomaly-detection - labels: - component: serving -spec: - port: - targetPort: http - to: - kind: Service - name: anomaly-detection-predictor-anomaly-detection - tls: - insecureEdgeTerminationPolicy: Allow - termination: edge ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: line-dashboard - name: line-dashboard -spec: - port: - targetPort: 8080-tcp - to: - kind: Service - name: line-dashboard - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-tst-all/templates/messaging/messaging-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: messaging - name: messaging -spec: - port: - targetPort: 3000-tcp - to: - kind: Service - name: messaging - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-tst-all/templates/anomaly-detection/iot-anomaly-detection-seldon.yaml -apiVersion: machinelearning.seldon.io/v1 -kind: SeldonDeployment -metadata: - name: anomaly-detection - labels: - component: serving - annotations: - alpha.image.policy.openshift.io/resolve-names: "*" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - annotations: - deployment_version: "1" - name: anomaly-detection - predictors: - - annotations: - predictor_version: "0.1" - componentSpecs: - - spec: - containers: - - name: anomaly-detection - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection:0.3.2 - imagePullPolicy: Always - env: - - name: MODEL_FIILE - value: "model.joblib" - graph: - endpoint: - type: REST - name: anomaly-detection - type: MODEL - name: predictor - replicas: 1 diff --git a/tests/datacenter-manuela-tst-medical-diagnosis-hub.expected.yaml b/tests/datacenter-manuela-tst-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 7dc410dac..000000000 --- a/tests/datacenter-manuela-tst-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,991 +0,0 @@ ---- -# Source: manuela-tst-all/templates/development-s3-store/kafka-to-s3-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kafka-to-s3-config - namespace: manuela-tst-all -data: - application.properties: | - - kafka.broker.uri=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092 - kafka.broker.topic.temperature=iot-sensor-sw-temperature - kafka.broker.topic.vibration=iot-sensor-sw-vibration - - local.cluster.name=apps.region.example.com - s3.region=AWSREGION - s3.bucket.name=BUCKETNAME - s3.message.aggregation.count=50 - s3.custom.endpoint.enabled=false - # Convert this directory into a helm chart and use templating to set this - s3.custom.endpoint.url=s3-openshift-storage.apps.region.example.com ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-configmap.config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: line-dashboard-configmap - namespace: manuela-tst-all - labels: - app.kubernetes.io/instance: manuela-tst-all -data: - "config.json": |- - { - "websocketHost": "http://messaging-manuela-tst-all.apps.region.example.com", - "websocketPath": "/api/service-web/socket", - "SERVER_TIMEOUT": "20000" - } ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-1-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-1 -data: - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-tst-all.apps.region.example.com - #broker-amq-mqtt-all-0-svc-rte-manuela-tst-all - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc.manuela-tst-all.svc" - #MQTT_PORT: "80" - #MQTT_PORT: "61616" - - - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-1" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - MQTT_PASSWORD: "iotuser" - MQTT_PORT: "61616" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "18" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "15" - SENSOR_VIBRATION_PEAKINTETVAL: "20" ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-2-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-2 -data: - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-2" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - MQTT_PASSWORD: "iotuser" - MQTT_PORT: "61616" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "true" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "true" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "true" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "17" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "12" - SENSOR_VIBRATION_PEAKINTETVAL: "200" ---- -# Source: manuela-tst-all/templates/messaging-kafka/mqtt2kafka-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: mqtt2kafka-config - namespace: manuela-tst-all -# DO NOT DELETE. NEEDED BY THE mqtt2kafka-integration SERVICE ---- -# Source: manuela-tst-all/templates/messaging/messaging-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: messaging-configmap -data: - VIBRATION_ALERT_ENABLED: "true" - VIBRATION_ANOMALY_ENABLED: "true" - NODE_TLS_REJECT_UNAUTHORIZED: "0" - MQTT_BROKER: "ws://broker-amq-mqtt-all-0-svc:61616" - MQTT_PASSWORD: "iotuser" - MQTT_USER: "iotuser" - PORT: "3000" - SOCKET_PATH: "/api/service-web/socket" - TEMPERATURE_THRESHOLD: "70.0" - TEMPERATURE_ALERT_ENABLED: "true" - TOPIC_GPS: "iot-sensor/sw/gps" - TOPIC_TEMPERATURE: "iot-sensor/sw/temperature" - TOPIC_VIBRATION: "iot-sensor/sw/vibration" - TOPIC_LIGHT: "iot-sensor/sw/light" - ANOMALY_DETECTION_URL: "http://anomaly-detection-predictor:8000" ---- -# Source: manuela-tst-all/templates/system-image-builder-role-binding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: 'system:image-builder' -subjects: - - kind: ServiceAccount - name: pipeline - namespace: manuela-ci -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'system:image-builder' ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: line-dashboard - name: line-dashboard -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: line-dashboard - deploymentconfig: line-dashboard - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-tst-all/templates/messaging/messaging-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: messaging - name: messaging -spec: - ports: - - name: 3000-tcp - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: messaging - deploymentconfig: messaging - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: line-dashboard - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: line-dashboard -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentconfig: line-dashboard - template: - metadata: - creationTimestamp: null - labels: - app: line-dashboard - deploymentconfig: line-dashboard - name: line-dashboard - spec: - containers: - - name: line-dashboard - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - # the following mountpath is used for images which are based on the HTTPD base images, i.e. built using the CI/CD pipelines - - mountPath: /var/www/html/conf/ - name: line-dashboard-configmap-vol - # the following mountpath is used for images based directly on the NodeJS builder image, i.e. when deploying images built in the iotdemo namespace during quickstart - - mountPath: /opt/app-root/output/conf - name: line-dashboard-configmap-vol - #subPath: config.json - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: line-dashboard-configmap-vol - configMap: - defaultMode: 438 - name: line-dashboard-configmap ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-1-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-1 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-1 - namespace: manuela-tst-all -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-1 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 9053bd7786d98f90d46f9d1ddaeaec71b049261c9fed8f4052312a41166d709e - labels: - application: machine-sensor-1 - deploymentConfig: machine-sensor-1 - name: machine-sensor-1 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-2-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-2 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-2 - namespace: manuela-tst-all -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-2 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 24255e5e8b8b64eb5287649203406969f812d66ef6edebfa118af87b748e5d72 - labels: - application: machine-sensor-2 - deploymentConfig: machine-sensor-2 - name: machine-sensor-2 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-2 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-tst-all/templates/messaging/messaging-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: messaging - name: messaging -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: messaging - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: messaging - deploymentconfig: messaging - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging:0.3.2 - imagePullPolicy: Always - name: messaging - ports: - - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: - name: messaging-configmap - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /health - port: 3000 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 ---- -# Source: manuela-tst-all/templates/messaging/amq-broker.yaml -apiVersion: broker.amq.io/v2alpha4 -kind: ActiveMQArtemis -metadata: - name: broker-amq-mqtt - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - deploymentPlan: - size: 1 - image: registry.redhat.io/amq7/amq-broker:7.6 - # requireLogin: false - # persistenceEnabled: false - journalType: nio - messageMigration: false - console: - expose: true - acceptors: - - name: all - port: 61616 - expose: true - # - name: amqp - # protocols: amqp - # port: 5672 - # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: localhost - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ - # - name: mqtt - # protocols: mqtt - # port: 1883 - # # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: broker-amq-mqtt - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ ---- -# Source: manuela-tst-all/templates/anomaly-detection/anomaly-detection-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: anomaly-detection - name: anomaly-detection -spec: - lookupPolicy: - local: false - tags: - - name: "0.3.2" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-anomaly-detection:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: line-dashboard - namespace: manuela-tst-all -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-frontend:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: machine-sensor - namespace: manuela-tst-all -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-software-sensor:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/messaging/messaging-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: messaging -spec: - tags: - - name: 0.3.2 - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-consumer:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/development-s3-store/kafka-to-s3-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: kafka-to-s3-integration - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: kafka-to-s3-config - - type: secret - value: s3-secret - profile: OpenShift - sources: - - content: | - // dependency=camel:camel-endpointdsl - package com.redhat.manuela.routes; - import java.io.ByteArrayInputStream; - import java.util.Iterator; - import java.util.List; - - import org.apache.camel.Exchange; - import org.apache.camel.Processor; - import org.apache.camel.PropertyInject; - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.aws2.s3.AWS2S3Constants; - import org.apache.camel.builder.endpoint.dsl.AWS2S3EndpointBuilderFactory; - import org.apache.camel.model.OnCompletionDefinition; - import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - public class Kafka2S3Route extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(Kafka2S3Route.class); - - @PropertyInject("s3.custom.endpoint.enabled") - private String s3_custom_endpoint_enabled; - - @PropertyInject("s3.custom.endpoint.url") - private String s3_custom_endpoint_url; - - @PropertyInject("s3.accessKey") - private String s3_accessKey; - @PropertyInject("s3.secretKey") - private String s3_secretKey; - @PropertyInject("s3.message.aggregation.count") - private String s3_message_aggregation_count; - - @PropertyInject("s3.region") - private String s3_region; - @Override - public void configure() throws Exception { - storeTemperatureInS3(); - storeVibrationInS3(); - } - private void storeVibrationInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String s3params = key - + secret - + region; - - from("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-dev-vibration-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded from [ ${headers[kafka.KEY]} ] Vibration dataset to S3"); - } - private void storeTemperatureInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String s3params = key - + secret - + region; - from("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-dev-temperature-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded Temperature from [ ${headers[kafka.KEY]} ] dataset to S3"); - } - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: Kafka2S3Route.java ---- -# Source: manuela-tst-all/templates/messaging-kafka/mqtt2kafka-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: mqtt2kafka-integration - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: mqtt2kafka-config - profile: OpenShift - sources: - - content: | - package com.redhat.manuela.routes; - - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.kafka.KafkaConstants; - import org.apache.camel.model.OnCompletionDefinition; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - - public class MQTT2KafkaRoute extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(MQTT2KafkaRoute.class); - - @Override - public void configure() throws Exception { - storeTemperatureInKafka(); - storeVibrationInKafka(); - //readTemperatureFromKafka(); - //readVibrationFromKafka(); - } - - private void storeTemperatureInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/temperature?brokerUrl=tcp://broker-amq-mqtt-all-0-svc.manuela-tst-all.svc:61616&clientId=MQTT2KafkaRouteDev-temp") - .log("Storing temperature message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - //.setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void storeVibrationInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/vibration?brokerUrl=tcp://broker-amq-mqtt-all-0-svc.manuela-tst-all.svc:61616&clientId=MQTT2KafkaRouteDev-vibr") - .log("Storing vibration message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - // .setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void readTemperatureFromKafka() { - from("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - private void readVibrationFromKafka() { - from("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: MQTT2KafkaRoute.java ---- -# Source: manuela-tst-all/templates/messaging-kafka/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/earlyaccess/all@id=redhat.ea ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: dev-kafka-cluster - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-topic-temperature.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-temperature - labels: - strimzi.io/cluster: dev-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-topic-vibration.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-vibration - labels: - strimzi.io/cluster: dev-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-tst-all/templates/anomaly-detection/iot-anomaly-detection-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: anomaly-detection - labels: - component: serving -spec: - port: - targetPort: http - to: - kind: Service - name: anomaly-detection-predictor-anomaly-detection - tls: - insecureEdgeTerminationPolicy: Allow - termination: edge ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: line-dashboard - name: line-dashboard -spec: - port: - targetPort: 8080-tcp - to: - kind: Service - name: line-dashboard - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-tst-all/templates/messaging/messaging-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: messaging - name: messaging -spec: - port: - targetPort: 3000-tcp - to: - kind: Service - name: messaging - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-tst-all/templates/anomaly-detection/iot-anomaly-detection-seldon.yaml -apiVersion: machinelearning.seldon.io/v1 -kind: SeldonDeployment -metadata: - name: anomaly-detection - labels: - component: serving - annotations: - alpha.image.policy.openshift.io/resolve-names: "*" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - annotations: - deployment_version: "1" - name: anomaly-detection - predictors: - - annotations: - predictor_version: "0.1" - componentSpecs: - - spec: - containers: - - name: anomaly-detection - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection:0.3.2 - imagePullPolicy: Always - env: - - name: MODEL_FIILE - value: "model.joblib" - graph: - endpoint: - type: REST - name: anomaly-detection - type: MODEL - name: predictor - replicas: 1 diff --git a/tests/datacenter-manuela-tst-naked.expected.yaml b/tests/datacenter-manuela-tst-naked.expected.yaml deleted file mode 100644 index 31a7bc174..000000000 --- a/tests/datacenter-manuela-tst-naked.expected.yaml +++ /dev/null @@ -1,991 +0,0 @@ ---- -# Source: manuela-tst-all/templates/development-s3-store/kafka-to-s3-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kafka-to-s3-config - namespace: manuela-tst-all -data: - application.properties: | - - kafka.broker.uri=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092 - kafka.broker.topic.temperature=iot-sensor-sw-temperature - kafka.broker.topic.vibration=iot-sensor-sw-vibration - - local.cluster.name= - s3.region=AWSREGION - s3.bucket.name=BUCKETNAME - s3.message.aggregation.count=50 - s3.custom.endpoint.enabled=false - # Convert this directory into a helm chart and use templating to set this - s3.custom.endpoint.url=s3-openshift-storage. ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-configmap.config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: line-dashboard-configmap - namespace: manuela-tst-all - labels: - app.kubernetes.io/instance: manuela-tst-all -data: - "config.json": |- - { - "websocketHost": "http://messaging-manuela-tst-all.", - "websocketPath": "/api/service-web/socket", - "SERVER_TIMEOUT": "20000" - } ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-1-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-1 -data: - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-tst-all. - #broker-amq-mqtt-all-0-svc-rte-manuela-tst-all - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc.manuela-tst-all.svc" - #MQTT_PORT: "80" - #MQTT_PORT: "61616" - - - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-1" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - MQTT_PASSWORD: "iotuser" - MQTT_PORT: "61616" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "18" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "15" - SENSOR_VIBRATION_PEAKINTETVAL: "20" ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-2-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-2 -data: - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-2" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - MQTT_PASSWORD: "iotuser" - MQTT_PORT: "61616" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "true" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "true" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "true" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "17" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "12" - SENSOR_VIBRATION_PEAKINTETVAL: "200" ---- -# Source: manuela-tst-all/templates/messaging-kafka/mqtt2kafka-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: mqtt2kafka-config - namespace: manuela-tst-all -# DO NOT DELETE. NEEDED BY THE mqtt2kafka-integration SERVICE ---- -# Source: manuela-tst-all/templates/messaging/messaging-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: messaging-configmap -data: - VIBRATION_ALERT_ENABLED: "true" - VIBRATION_ANOMALY_ENABLED: "true" - NODE_TLS_REJECT_UNAUTHORIZED: "0" - MQTT_BROKER: "ws://broker-amq-mqtt-all-0-svc:61616" - MQTT_PASSWORD: "iotuser" - MQTT_USER: "iotuser" - PORT: "3000" - SOCKET_PATH: "/api/service-web/socket" - TEMPERATURE_THRESHOLD: "70.0" - TEMPERATURE_ALERT_ENABLED: "true" - TOPIC_GPS: "iot-sensor/sw/gps" - TOPIC_TEMPERATURE: "iot-sensor/sw/temperature" - TOPIC_VIBRATION: "iot-sensor/sw/vibration" - TOPIC_LIGHT: "iot-sensor/sw/light" - ANOMALY_DETECTION_URL: "http://anomaly-detection-predictor:8000" ---- -# Source: manuela-tst-all/templates/system-image-builder-role-binding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: 'system:image-builder' -subjects: - - kind: ServiceAccount - name: pipeline - namespace: manuela-ci -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'system:image-builder' ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: line-dashboard - name: line-dashboard -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: line-dashboard - deploymentconfig: line-dashboard - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-tst-all/templates/messaging/messaging-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: messaging - name: messaging -spec: - ports: - - name: 3000-tcp - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: messaging - deploymentconfig: messaging - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: line-dashboard - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: line-dashboard -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentconfig: line-dashboard - template: - metadata: - creationTimestamp: null - labels: - app: line-dashboard - deploymentconfig: line-dashboard - name: line-dashboard - spec: - containers: - - name: line-dashboard - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - # the following mountpath is used for images which are based on the HTTPD base images, i.e. built using the CI/CD pipelines - - mountPath: /var/www/html/conf/ - name: line-dashboard-configmap-vol - # the following mountpath is used for images based directly on the NodeJS builder image, i.e. when deploying images built in the iotdemo namespace during quickstart - - mountPath: /opt/app-root/output/conf - name: line-dashboard-configmap-vol - #subPath: config.json - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: line-dashboard-configmap-vol - configMap: - defaultMode: 438 - name: line-dashboard-configmap ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-1-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-1 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-1 - namespace: manuela-tst-all -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-1 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 27ea9f8a7f8aae2024eda0ee1530f2d792cea16467349e59da9af589c0e1f1fa - labels: - application: machine-sensor-1 - deploymentConfig: machine-sensor-1 - name: machine-sensor-1 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-2-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-2 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-2 - namespace: manuela-tst-all -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-2 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 24255e5e8b8b64eb5287649203406969f812d66ef6edebfa118af87b748e5d72 - labels: - application: machine-sensor-2 - deploymentConfig: machine-sensor-2 - name: machine-sensor-2 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-2 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-tst-all/templates/messaging/messaging-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: messaging - name: messaging -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: messaging - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: messaging - deploymentconfig: messaging - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging:0.3.2 - imagePullPolicy: Always - name: messaging - ports: - - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: - name: messaging-configmap - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /health - port: 3000 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 ---- -# Source: manuela-tst-all/templates/messaging/amq-broker.yaml -apiVersion: broker.amq.io/v2alpha4 -kind: ActiveMQArtemis -metadata: - name: broker-amq-mqtt - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - deploymentPlan: - size: 1 - image: registry.redhat.io/amq7/amq-broker:7.6 - # requireLogin: false - # persistenceEnabled: false - journalType: nio - messageMigration: false - console: - expose: true - acceptors: - - name: all - port: 61616 - expose: true - # - name: amqp - # protocols: amqp - # port: 5672 - # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: localhost - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ - # - name: mqtt - # protocols: mqtt - # port: 1883 - # # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: broker-amq-mqtt - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ ---- -# Source: manuela-tst-all/templates/anomaly-detection/anomaly-detection-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: anomaly-detection - name: anomaly-detection -spec: - lookupPolicy: - local: false - tags: - - name: "0.3.2" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-anomaly-detection:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: line-dashboard - namespace: manuela-tst-all -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-frontend:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: machine-sensor - namespace: manuela-tst-all -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-software-sensor:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/messaging/messaging-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: messaging -spec: - tags: - - name: 0.3.2 - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-consumer:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/development-s3-store/kafka-to-s3-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: kafka-to-s3-integration - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: kafka-to-s3-config - - type: secret - value: s3-secret - profile: OpenShift - sources: - - content: | - // dependency=camel:camel-endpointdsl - package com.redhat.manuela.routes; - import java.io.ByteArrayInputStream; - import java.util.Iterator; - import java.util.List; - - import org.apache.camel.Exchange; - import org.apache.camel.Processor; - import org.apache.camel.PropertyInject; - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.aws2.s3.AWS2S3Constants; - import org.apache.camel.builder.endpoint.dsl.AWS2S3EndpointBuilderFactory; - import org.apache.camel.model.OnCompletionDefinition; - import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - public class Kafka2S3Route extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(Kafka2S3Route.class); - - @PropertyInject("s3.custom.endpoint.enabled") - private String s3_custom_endpoint_enabled; - - @PropertyInject("s3.custom.endpoint.url") - private String s3_custom_endpoint_url; - - @PropertyInject("s3.accessKey") - private String s3_accessKey; - @PropertyInject("s3.secretKey") - private String s3_secretKey; - @PropertyInject("s3.message.aggregation.count") - private String s3_message_aggregation_count; - - @PropertyInject("s3.region") - private String s3_region; - @Override - public void configure() throws Exception { - storeTemperatureInS3(); - storeVibrationInS3(); - } - private void storeVibrationInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String s3params = key - + secret - + region; - - from("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-dev-vibration-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded from [ ${headers[kafka.KEY]} ] Vibration dataset to S3"); - } - private void storeTemperatureInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String s3params = key - + secret - + region; - from("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-dev-temperature-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded Temperature from [ ${headers[kafka.KEY]} ] dataset to S3"); - } - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: Kafka2S3Route.java ---- -# Source: manuela-tst-all/templates/messaging-kafka/mqtt2kafka-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: mqtt2kafka-integration - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: mqtt2kafka-config - profile: OpenShift - sources: - - content: | - package com.redhat.manuela.routes; - - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.kafka.KafkaConstants; - import org.apache.camel.model.OnCompletionDefinition; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - - public class MQTT2KafkaRoute extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(MQTT2KafkaRoute.class); - - @Override - public void configure() throws Exception { - storeTemperatureInKafka(); - storeVibrationInKafka(); - //readTemperatureFromKafka(); - //readVibrationFromKafka(); - } - - private void storeTemperatureInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = ""; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/temperature?brokerUrl=tcp://broker-amq-mqtt-all-0-svc.manuela-tst-all.svc:61616&clientId=MQTT2KafkaRouteDev-temp") - .log("Storing temperature message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - //.setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void storeVibrationInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = ""; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/vibration?brokerUrl=tcp://broker-amq-mqtt-all-0-svc.manuela-tst-all.svc:61616&clientId=MQTT2KafkaRouteDev-vibr") - .log("Storing vibration message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - // .setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void readTemperatureFromKafka() { - from("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - private void readVibrationFromKafka() { - from("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: MQTT2KafkaRoute.java ---- -# Source: manuela-tst-all/templates/messaging-kafka/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/earlyaccess/all@id=redhat.ea ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: dev-kafka-cluster - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-topic-temperature.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-temperature - labels: - strimzi.io/cluster: dev-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-topic-vibration.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-vibration - labels: - strimzi.io/cluster: dev-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-tst-all/templates/anomaly-detection/iot-anomaly-detection-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: anomaly-detection - labels: - component: serving -spec: - port: - targetPort: http - to: - kind: Service - name: anomaly-detection-predictor-anomaly-detection - tls: - insecureEdgeTerminationPolicy: Allow - termination: edge ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: line-dashboard - name: line-dashboard -spec: - port: - targetPort: 8080-tcp - to: - kind: Service - name: line-dashboard - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-tst-all/templates/messaging/messaging-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: messaging - name: messaging -spec: - port: - targetPort: 3000-tcp - to: - kind: Service - name: messaging - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-tst-all/templates/anomaly-detection/iot-anomaly-detection-seldon.yaml -apiVersion: machinelearning.seldon.io/v1 -kind: SeldonDeployment -metadata: - name: anomaly-detection - labels: - component: serving - annotations: - alpha.image.policy.openshift.io/resolve-names: "*" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - annotations: - deployment_version: "1" - name: anomaly-detection - predictors: - - annotations: - predictor_version: "0.1" - componentSpecs: - - spec: - containers: - - name: anomaly-detection - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection:0.3.2 - imagePullPolicy: Always - env: - - name: MODEL_FIILE - value: "model.joblib" - graph: - endpoint: - type: REST - name: anomaly-detection - type: MODEL - name: predictor - replicas: 1 diff --git a/tests/datacenter-manuela-tst-normal.expected.yaml b/tests/datacenter-manuela-tst-normal.expected.yaml deleted file mode 100644 index 7dc410dac..000000000 --- a/tests/datacenter-manuela-tst-normal.expected.yaml +++ /dev/null @@ -1,991 +0,0 @@ ---- -# Source: manuela-tst-all/templates/development-s3-store/kafka-to-s3-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kafka-to-s3-config - namespace: manuela-tst-all -data: - application.properties: | - - kafka.broker.uri=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092 - kafka.broker.topic.temperature=iot-sensor-sw-temperature - kafka.broker.topic.vibration=iot-sensor-sw-vibration - - local.cluster.name=apps.region.example.com - s3.region=AWSREGION - s3.bucket.name=BUCKETNAME - s3.message.aggregation.count=50 - s3.custom.endpoint.enabled=false - # Convert this directory into a helm chart and use templating to set this - s3.custom.endpoint.url=s3-openshift-storage.apps.region.example.com ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-configmap.config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: line-dashboard-configmap - namespace: manuela-tst-all - labels: - app.kubernetes.io/instance: manuela-tst-all -data: - "config.json": |- - { - "websocketHost": "http://messaging-manuela-tst-all.apps.region.example.com", - "websocketPath": "/api/service-web/socket", - "SERVER_TIMEOUT": "20000" - } ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-1-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-1 -data: - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-tst-all.apps.region.example.com - #broker-amq-mqtt-all-0-svc-rte-manuela-tst-all - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - #MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc.manuela-tst-all.svc" - #MQTT_PORT: "80" - #MQTT_PORT: "61616" - - - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-1" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - MQTT_PASSWORD: "iotuser" - MQTT_PORT: "61616" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "18" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "15" - SENSOR_VIBRATION_PEAKINTETVAL: "20" ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-2-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-2 -data: - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-2" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc" - MQTT_PASSWORD: "iotuser" - MQTT_PORT: "61616" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "true" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "true" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "true" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "17" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "12" - SENSOR_VIBRATION_PEAKINTETVAL: "200" ---- -# Source: manuela-tst-all/templates/messaging-kafka/mqtt2kafka-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: mqtt2kafka-config - namespace: manuela-tst-all -# DO NOT DELETE. NEEDED BY THE mqtt2kafka-integration SERVICE ---- -# Source: manuela-tst-all/templates/messaging/messaging-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: messaging-configmap -data: - VIBRATION_ALERT_ENABLED: "true" - VIBRATION_ANOMALY_ENABLED: "true" - NODE_TLS_REJECT_UNAUTHORIZED: "0" - MQTT_BROKER: "ws://broker-amq-mqtt-all-0-svc:61616" - MQTT_PASSWORD: "iotuser" - MQTT_USER: "iotuser" - PORT: "3000" - SOCKET_PATH: "/api/service-web/socket" - TEMPERATURE_THRESHOLD: "70.0" - TEMPERATURE_ALERT_ENABLED: "true" - TOPIC_GPS: "iot-sensor/sw/gps" - TOPIC_TEMPERATURE: "iot-sensor/sw/temperature" - TOPIC_VIBRATION: "iot-sensor/sw/vibration" - TOPIC_LIGHT: "iot-sensor/sw/light" - ANOMALY_DETECTION_URL: "http://anomaly-detection-predictor:8000" ---- -# Source: manuela-tst-all/templates/system-image-builder-role-binding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: 'system:image-builder' -subjects: - - kind: ServiceAccount - name: pipeline - namespace: manuela-ci -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'system:image-builder' ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: line-dashboard - name: line-dashboard -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: line-dashboard - deploymentconfig: line-dashboard - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-tst-all/templates/messaging/messaging-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: messaging - name: messaging -spec: - ports: - - name: 3000-tcp - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: messaging - deploymentconfig: messaging - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: line-dashboard - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: line-dashboard -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentconfig: line-dashboard - template: - metadata: - creationTimestamp: null - labels: - app: line-dashboard - deploymentconfig: line-dashboard - name: line-dashboard - spec: - containers: - - name: line-dashboard - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - # the following mountpath is used for images which are based on the HTTPD base images, i.e. built using the CI/CD pipelines - - mountPath: /var/www/html/conf/ - name: line-dashboard-configmap-vol - # the following mountpath is used for images based directly on the NodeJS builder image, i.e. when deploying images built in the iotdemo namespace during quickstart - - mountPath: /opt/app-root/output/conf - name: line-dashboard-configmap-vol - #subPath: config.json - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: line-dashboard-configmap-vol - configMap: - defaultMode: 438 - name: line-dashboard-configmap ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-1-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-1 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-1 - namespace: manuela-tst-all -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-1 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 9053bd7786d98f90d46f9d1ddaeaec71b049261c9fed8f4052312a41166d709e - labels: - application: machine-sensor-1 - deploymentConfig: machine-sensor-1 - name: machine-sensor-1 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-2-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-2 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-2 - namespace: manuela-tst-all -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-2 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 24255e5e8b8b64eb5287649203406969f812d66ef6edebfa118af87b748e5d72 - labels: - application: machine-sensor-2 - deploymentConfig: machine-sensor-2 - name: machine-sensor-2 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-2 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-tst-all/templates/messaging/messaging-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: messaging - name: messaging -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: messaging - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: messaging - deploymentconfig: messaging - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging:0.3.2 - imagePullPolicy: Always - name: messaging - ports: - - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: - name: messaging-configmap - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /health - port: 3000 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 ---- -# Source: manuela-tst-all/templates/messaging/amq-broker.yaml -apiVersion: broker.amq.io/v2alpha4 -kind: ActiveMQArtemis -metadata: - name: broker-amq-mqtt - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - deploymentPlan: - size: 1 - image: registry.redhat.io/amq7/amq-broker:7.6 - # requireLogin: false - # persistenceEnabled: false - journalType: nio - messageMigration: false - console: - expose: true - acceptors: - - name: all - port: 61616 - expose: true - # - name: amqp - # protocols: amqp - # port: 5672 - # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: localhost - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ - # - name: mqtt - # protocols: mqtt - # port: 1883 - # # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: broker-amq-mqtt - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ ---- -# Source: manuela-tst-all/templates/anomaly-detection/anomaly-detection-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: anomaly-detection - name: anomaly-detection -spec: - lookupPolicy: - local: false - tags: - - name: "0.3.2" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-anomaly-detection:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: line-dashboard - namespace: manuela-tst-all -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-frontend:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/machine-sensor/machine-sensor-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: machine-sensor - namespace: manuela-tst-all -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-software-sensor:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/messaging/messaging-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: messaging -spec: - tags: - - name: 0.3.2 - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-consumer:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-tst-all/templates/development-s3-store/kafka-to-s3-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: kafka-to-s3-integration - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: kafka-to-s3-config - - type: secret - value: s3-secret - profile: OpenShift - sources: - - content: | - // dependency=camel:camel-endpointdsl - package com.redhat.manuela.routes; - import java.io.ByteArrayInputStream; - import java.util.Iterator; - import java.util.List; - - import org.apache.camel.Exchange; - import org.apache.camel.Processor; - import org.apache.camel.PropertyInject; - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.aws2.s3.AWS2S3Constants; - import org.apache.camel.builder.endpoint.dsl.AWS2S3EndpointBuilderFactory; - import org.apache.camel.model.OnCompletionDefinition; - import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - public class Kafka2S3Route extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(Kafka2S3Route.class); - - @PropertyInject("s3.custom.endpoint.enabled") - private String s3_custom_endpoint_enabled; - - @PropertyInject("s3.custom.endpoint.url") - private String s3_custom_endpoint_url; - - @PropertyInject("s3.accessKey") - private String s3_accessKey; - @PropertyInject("s3.secretKey") - private String s3_secretKey; - @PropertyInject("s3.message.aggregation.count") - private String s3_message_aggregation_count; - - @PropertyInject("s3.region") - private String s3_region; - @Override - public void configure() throws Exception { - storeTemperatureInS3(); - storeVibrationInS3(); - } - private void storeVibrationInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String s3params = key - + secret - + region; - - from("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-dev-vibration-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded from [ ${headers[kafka.KEY]} ] Vibration dataset to S3"); - } - private void storeTemperatureInS3() { - String key = "accessKey=RAW(" + s3_accessKey + ")"; - String secret = "&secretKey=RAW(" + s3_secretKey + ")"; - String region = "®ion=" + s3_region; - String s3params = key - + secret - + region; - from("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .convertBodyTo(String.class) - .aggregate(simple("true"), new GroupedBodyAggregationStrategy()).completionSize(s3_message_aggregation_count) - .process(new Processor() { - @Override - public void process(Exchange exchange) throws Exception { - List data = exchange.getIn().getBody(List.class); - StringBuffer sb = new StringBuffer(); - for (Iterator iterator = data.iterator(); iterator.hasNext();) { - String ex = (String) iterator.next(); - sb.append(ex+"\n"); - } - exchange.getIn().setBody(new ByteArrayInputStream(sb.toString().getBytes())); - } - }) - // .to(\"file:/var/tmp/\"); - .setHeader(AWS2S3Constants.KEY, simple("manuela-dev-temperature-${headers[kafka.KEY]}-${date:now}.txt")) - .to("aws2-s3://BUCKETNAME?" + s3params) - .log("Uploaded Temperature from [ ${headers[kafka.KEY]} ] dataset to S3"); - } - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: Kafka2S3Route.java ---- -# Source: manuela-tst-all/templates/messaging-kafka/mqtt2kafka-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: mqtt2kafka-integration - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: mqtt2kafka-config - profile: OpenShift - sources: - - content: | - package com.redhat.manuela.routes; - - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.kafka.KafkaConstants; - import org.apache.camel.model.OnCompletionDefinition; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - - public class MQTT2KafkaRoute extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(MQTT2KafkaRoute.class); - - @Override - public void configure() throws Exception { - storeTemperatureInKafka(); - storeVibrationInKafka(); - //readTemperatureFromKafka(); - //readVibrationFromKafka(); - } - - private void storeTemperatureInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/temperature?brokerUrl=tcp://broker-amq-mqtt-all-0-svc.manuela-tst-all.svc:61616&clientId=MQTT2KafkaRouteDev-temp") - .log("Storing temperature message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - //.setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void storeVibrationInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/vibration?brokerUrl=tcp://broker-amq-mqtt-all-0-svc.manuela-tst-all.svc:61616&clientId=MQTT2KafkaRouteDev-vibr") - .log("Storing vibration message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - // .setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void readTemperatureFromKafka() { - from("kafka:iot-sensor-sw-temperature?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - private void readVibrationFromKafka() { - from("kafka:iot-sensor-sw-vibration?brokers=dev-kafka-cluster-kafka-bootstrap.manuela-tst-all.svc:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: MQTT2KafkaRoute.java ---- -# Source: manuela-tst-all/templates/messaging-kafka/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/earlyaccess/all@id=redhat.ea ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: dev-kafka-cluster - namespace: manuela-tst-all - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-topic-temperature.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-temperature - labels: - strimzi.io/cluster: dev-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-tst-all/templates/messaging-kafka/kafka-topic-vibration.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-vibration - labels: - strimzi.io/cluster: dev-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-tst-all/templates/anomaly-detection/iot-anomaly-detection-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: anomaly-detection - labels: - component: serving -spec: - port: - targetPort: http - to: - kind: Service - name: anomaly-detection-predictor-anomaly-detection - tls: - insecureEdgeTerminationPolicy: Allow - termination: edge ---- -# Source: manuela-tst-all/templates/line-dashboard/line-dashboard-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: line-dashboard - name: line-dashboard -spec: - port: - targetPort: 8080-tcp - to: - kind: Service - name: line-dashboard - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-tst-all/templates/messaging/messaging-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: messaging - name: messaging -spec: - port: - targetPort: 3000-tcp - to: - kind: Service - name: messaging - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-tst-all/templates/anomaly-detection/iot-anomaly-detection-seldon.yaml -apiVersion: machinelearning.seldon.io/v1 -kind: SeldonDeployment -metadata: - name: anomaly-detection - labels: - component: serving - annotations: - alpha.image.policy.openshift.io/resolve-names: "*" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - annotations: - deployment_version: "1" - name: anomaly-detection - predictors: - - annotations: - predictor_version: "0.1" - componentSpecs: - - spec: - containers: - - name: anomaly-detection - image: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection:0.3.2 - imagePullPolicy: Always - env: - - name: MODEL_FIILE - value: "model.joblib" - graph: - endpoint: - type: REST - name: anomaly-detection - type: MODEL - name: predictor - replicas: 1 diff --git a/tests/datacenter-opendatahub-industrial-edge-factory.expected.yaml b/tests/datacenter-opendatahub-industrial-edge-factory.expected.yaml deleted file mode 100644 index 543a128d7..000000000 --- a/tests/datacenter-opendatahub-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,128 +0,0 @@ ---- -# Source: opendatahub/templates/manuela-admin-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-team -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-dev ---- -# Source: opendatahub/templates/manuela-view-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: view -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-ops ---- -# Source: opendatahub/templates/odh-kfdef.yaml -apiVersion: kfdef.apps.kubeflow.org/v1 -kind: KfDef -metadata: - finalizers: - - kfdef-finalizer.kfdef.apps.kubeflow.org - name: opendatahub -spec: - applications: - - kustomizeConfig: - repoRef: - name: manifests - path: odh-common - name: odh-common - - kustomizeConfig: - overlays: - - authentication - repoRef: - name: manifests - path: odh-dashboard - name: odh-dashboard - - kustomizeConfig: - repoRef: - name: manifests - path: odh-notebook-controller - name: odh-notebook-controller - - kustomizeConfig: - overlays: - - odh-model-controller - repoRef: - name: manifests - path: model-mesh - name: model-mesh - - kustomizeConfig: - overlays: - - metadata-store-mariadb - - ds-pipeline-ui - - object-store-minio - - default-configs - repoRef: - name: manifests - path: data-science-pipelines - name: ds-pipelines - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/cluster - name: grafana-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/grafana - name: grafana-instance - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/cluster - name: prometheus-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/operator - name: prometheus-operator - - kustomizeConfig: - overlays: - - additional - repoRef: - name: manifests - path: jupyterhub/notebook-images - name: notebook-images - repos: - - name: manifests - uri: https://github.com/opendatahub-io/odh-manifests/tarball/v1.4 - version: v1.4.0 ---- -# Source: opendatahub/templates/odh-dashboard.yaml -apiVersion: opendatahub.io/v1alpha -kind: OdhDashboardConfig -metadata: - name: odh-dashboard-config - namespace: manuela-ml-workspace -spec: - dashboardConfig: - disableBYONImageStream: false - disableClusterManager: false - disableISVBadges: false - disableInfo: false - disableSupport: false - disableTracking: false - disableUserManagement: false - enablement: true - groupsConfig: - adminGroups: odh-admins - allowedGroups: 'system:authenticated' - notebookController: - enabled: true diff --git a/tests/datacenter-opendatahub-industrial-edge-hub.expected.yaml b/tests/datacenter-opendatahub-industrial-edge-hub.expected.yaml deleted file mode 100644 index 543a128d7..000000000 --- a/tests/datacenter-opendatahub-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,128 +0,0 @@ ---- -# Source: opendatahub/templates/manuela-admin-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-team -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-dev ---- -# Source: opendatahub/templates/manuela-view-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: view -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-ops ---- -# Source: opendatahub/templates/odh-kfdef.yaml -apiVersion: kfdef.apps.kubeflow.org/v1 -kind: KfDef -metadata: - finalizers: - - kfdef-finalizer.kfdef.apps.kubeflow.org - name: opendatahub -spec: - applications: - - kustomizeConfig: - repoRef: - name: manifests - path: odh-common - name: odh-common - - kustomizeConfig: - overlays: - - authentication - repoRef: - name: manifests - path: odh-dashboard - name: odh-dashboard - - kustomizeConfig: - repoRef: - name: manifests - path: odh-notebook-controller - name: odh-notebook-controller - - kustomizeConfig: - overlays: - - odh-model-controller - repoRef: - name: manifests - path: model-mesh - name: model-mesh - - kustomizeConfig: - overlays: - - metadata-store-mariadb - - ds-pipeline-ui - - object-store-minio - - default-configs - repoRef: - name: manifests - path: data-science-pipelines - name: ds-pipelines - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/cluster - name: grafana-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/grafana - name: grafana-instance - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/cluster - name: prometheus-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/operator - name: prometheus-operator - - kustomizeConfig: - overlays: - - additional - repoRef: - name: manifests - path: jupyterhub/notebook-images - name: notebook-images - repos: - - name: manifests - uri: https://github.com/opendatahub-io/odh-manifests/tarball/v1.4 - version: v1.4.0 ---- -# Source: opendatahub/templates/odh-dashboard.yaml -apiVersion: opendatahub.io/v1alpha -kind: OdhDashboardConfig -metadata: - name: odh-dashboard-config - namespace: manuela-ml-workspace -spec: - dashboardConfig: - disableBYONImageStream: false - disableClusterManager: false - disableISVBadges: false - disableInfo: false - disableSupport: false - disableTracking: false - disableUserManagement: false - enablement: true - groupsConfig: - adminGroups: odh-admins - allowedGroups: 'system:authenticated' - notebookController: - enabled: true diff --git a/tests/datacenter-opendatahub-medical-diagnosis-hub.expected.yaml b/tests/datacenter-opendatahub-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 543a128d7..000000000 --- a/tests/datacenter-opendatahub-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,128 +0,0 @@ ---- -# Source: opendatahub/templates/manuela-admin-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-team -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-dev ---- -# Source: opendatahub/templates/manuela-view-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: view -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-ops ---- -# Source: opendatahub/templates/odh-kfdef.yaml -apiVersion: kfdef.apps.kubeflow.org/v1 -kind: KfDef -metadata: - finalizers: - - kfdef-finalizer.kfdef.apps.kubeflow.org - name: opendatahub -spec: - applications: - - kustomizeConfig: - repoRef: - name: manifests - path: odh-common - name: odh-common - - kustomizeConfig: - overlays: - - authentication - repoRef: - name: manifests - path: odh-dashboard - name: odh-dashboard - - kustomizeConfig: - repoRef: - name: manifests - path: odh-notebook-controller - name: odh-notebook-controller - - kustomizeConfig: - overlays: - - odh-model-controller - repoRef: - name: manifests - path: model-mesh - name: model-mesh - - kustomizeConfig: - overlays: - - metadata-store-mariadb - - ds-pipeline-ui - - object-store-minio - - default-configs - repoRef: - name: manifests - path: data-science-pipelines - name: ds-pipelines - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/cluster - name: grafana-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/grafana - name: grafana-instance - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/cluster - name: prometheus-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/operator - name: prometheus-operator - - kustomizeConfig: - overlays: - - additional - repoRef: - name: manifests - path: jupyterhub/notebook-images - name: notebook-images - repos: - - name: manifests - uri: https://github.com/opendatahub-io/odh-manifests/tarball/v1.4 - version: v1.4.0 ---- -# Source: opendatahub/templates/odh-dashboard.yaml -apiVersion: opendatahub.io/v1alpha -kind: OdhDashboardConfig -metadata: - name: odh-dashboard-config - namespace: manuela-ml-workspace -spec: - dashboardConfig: - disableBYONImageStream: false - disableClusterManager: false - disableISVBadges: false - disableInfo: false - disableSupport: false - disableTracking: false - disableUserManagement: false - enablement: true - groupsConfig: - adminGroups: odh-admins - allowedGroups: 'system:authenticated' - notebookController: - enabled: true diff --git a/tests/datacenter-opendatahub-naked.expected.yaml b/tests/datacenter-opendatahub-naked.expected.yaml deleted file mode 100644 index 543a128d7..000000000 --- a/tests/datacenter-opendatahub-naked.expected.yaml +++ /dev/null @@ -1,128 +0,0 @@ ---- -# Source: opendatahub/templates/manuela-admin-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-team -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-dev ---- -# Source: opendatahub/templates/manuela-view-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: view -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-ops ---- -# Source: opendatahub/templates/odh-kfdef.yaml -apiVersion: kfdef.apps.kubeflow.org/v1 -kind: KfDef -metadata: - finalizers: - - kfdef-finalizer.kfdef.apps.kubeflow.org - name: opendatahub -spec: - applications: - - kustomizeConfig: - repoRef: - name: manifests - path: odh-common - name: odh-common - - kustomizeConfig: - overlays: - - authentication - repoRef: - name: manifests - path: odh-dashboard - name: odh-dashboard - - kustomizeConfig: - repoRef: - name: manifests - path: odh-notebook-controller - name: odh-notebook-controller - - kustomizeConfig: - overlays: - - odh-model-controller - repoRef: - name: manifests - path: model-mesh - name: model-mesh - - kustomizeConfig: - overlays: - - metadata-store-mariadb - - ds-pipeline-ui - - object-store-minio - - default-configs - repoRef: - name: manifests - path: data-science-pipelines - name: ds-pipelines - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/cluster - name: grafana-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/grafana - name: grafana-instance - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/cluster - name: prometheus-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/operator - name: prometheus-operator - - kustomizeConfig: - overlays: - - additional - repoRef: - name: manifests - path: jupyterhub/notebook-images - name: notebook-images - repos: - - name: manifests - uri: https://github.com/opendatahub-io/odh-manifests/tarball/v1.4 - version: v1.4.0 ---- -# Source: opendatahub/templates/odh-dashboard.yaml -apiVersion: opendatahub.io/v1alpha -kind: OdhDashboardConfig -metadata: - name: odh-dashboard-config - namespace: manuela-ml-workspace -spec: - dashboardConfig: - disableBYONImageStream: false - disableClusterManager: false - disableISVBadges: false - disableInfo: false - disableSupport: false - disableTracking: false - disableUserManagement: false - enablement: true - groupsConfig: - adminGroups: odh-admins - allowedGroups: 'system:authenticated' - notebookController: - enabled: true diff --git a/tests/datacenter-opendatahub-normal.expected.yaml b/tests/datacenter-opendatahub-normal.expected.yaml deleted file mode 100644 index 543a128d7..000000000 --- a/tests/datacenter-opendatahub-normal.expected.yaml +++ /dev/null @@ -1,128 +0,0 @@ ---- -# Source: opendatahub/templates/manuela-admin-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-team -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-dev ---- -# Source: opendatahub/templates/manuela-view-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: view -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: manuela-ops ---- -# Source: opendatahub/templates/odh-kfdef.yaml -apiVersion: kfdef.apps.kubeflow.org/v1 -kind: KfDef -metadata: - finalizers: - - kfdef-finalizer.kfdef.apps.kubeflow.org - name: opendatahub -spec: - applications: - - kustomizeConfig: - repoRef: - name: manifests - path: odh-common - name: odh-common - - kustomizeConfig: - overlays: - - authentication - repoRef: - name: manifests - path: odh-dashboard - name: odh-dashboard - - kustomizeConfig: - repoRef: - name: manifests - path: odh-notebook-controller - name: odh-notebook-controller - - kustomizeConfig: - overlays: - - odh-model-controller - repoRef: - name: manifests - path: model-mesh - name: model-mesh - - kustomizeConfig: - overlays: - - metadata-store-mariadb - - ds-pipeline-ui - - object-store-minio - - default-configs - repoRef: - name: manifests - path: data-science-pipelines - name: ds-pipelines - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/cluster - name: grafana-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/grafana - name: grafana-instance - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/cluster - name: prometheus-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/operator - name: prometheus-operator - - kustomizeConfig: - overlays: - - additional - repoRef: - name: manifests - path: jupyterhub/notebook-images - name: notebook-images - repos: - - name: manifests - uri: https://github.com/opendatahub-io/odh-manifests/tarball/v1.4 - version: v1.4.0 ---- -# Source: opendatahub/templates/odh-dashboard.yaml -apiVersion: opendatahub.io/v1alpha -kind: OdhDashboardConfig -metadata: - name: odh-dashboard-config - namespace: manuela-ml-workspace -spec: - dashboardConfig: - disableBYONImageStream: false - disableClusterManager: false - disableISVBadges: false - disableInfo: false - disableSupport: false - disableTracking: false - disableUserManagement: false - enablement: true - groupsConfig: - adminGroups: odh-admins - allowedGroups: 'system:authenticated' - notebookController: - enabled: true diff --git a/tests/datacenter-pipelines-industrial-edge-factory.expected.yaml b/tests/datacenter-pipelines-industrial-edge-factory.expected.yaml deleted file mode 100644 index ba41ab593..000000000 --- a/tests/datacenter-pipelines-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,4257 +0,0 @@ ---- -# Source: pipelines/templates/configmaps/environment.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: environment -data: - DESCRIPTION: "Config keys for openshift-pipelines" - IMAGE_PROVIDER: quay.io - IMAGE_ACCOUNT: PLAINTEXT - GIT_EMAIL: SOMEWHERE@EXAMPLE.COM - GIT_DEV_REPO_URL: https://github.com/PLAINTEXT/manuela-dev.git - GIT_DEV_REPO_REVISION: main - GIT_OPS_REPO_TEST_URL: https://github.com/pattern-clone/mypattern - GIT_OPS_REPO_TEST_REVISION: main - GIT_OPS_REPO_PROD_URL: https://github.com/pattern-clone/mypattern - GIT_OPS_REPO_PROD_REVISION: main - IOT_CONSUMER_IMAGE: iot-consumer - IOT_CONSUMER_YAML_PATH: ".iot_consumer.tag" - IOT_CONSUMER_BUILT_TAGS_PATH: .iot_consumer.built_tags - IOT_CONSUMER_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_CONSUMER_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_FRONTEND_IMAGE: iot-frontend - IOT_FRONTEND_YAML_PATH: ".iot_frontend.tag" - IOT_FRONTEND_BUILT_TAGS_PATH: ".iot_frontend.built_tags" - IOT_FRONTEND_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_FRONTEND_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_SWSENSOR_IMAGE: iot-software-sensor - IOT_SWSENSOR_YAML_PATH: ".machine_sensor.tag" - IOT_SWSENSOR_BUILT_TAGS_PATH: .machine_sensor.built_tags - IOT_SWSENSOR_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_SWSENSOR_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_ANOMALY_IMAGE: iot-anomaly-detection - IOT_ANOMALY_YAML_PATH: ".iot_anomaly_detection.tag" - IOT_ANOMALY_BUILT_TAGS_PATH: .iot_anomaly_detection.built_tags - IOT_ANOMALY_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_ANOMALY_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - -# IOT_CONSUMER_IMAGE: iot-consumer -# IOT_CONSUMER_YAML_PATH: 'images(name==messaging).newTag' -# IOT_CONSUMER_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_CONSUMER_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/messaging/messaging-is.yaml -# IOT_FRONTEND_IMAGE: iot-frontend -# IOT_FRONTEND_YAML_PATH: 'images(name==line-dashboard).newTag' -# IOT_FRONTEND_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_FRONTEND_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/line-dashboard/line-dashboard-is.yaml -# IOT_SWSENSOR_IMAGE: iot-software-sensor -# IOT_SWSENSOR_YAML_PATH: 'images(name==machine-sensor).newTag' -# IOT_SWSENSOR_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_SWSENSOR_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/machine-sensor/machine-sensor-is.yaml -# IOT_ANOMALY_IMAGE: iot-anomaly-detection -# IOT_ANOMALY_YAML_PATH: 'images(name==anomaly-detection).newTag' -# IOT_ANOMALY_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_ANOMALY_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/anomaly-detection/anomaly-detection-is.yaml ---- -# Source: pipelines/templates/persistent-volume-claims/build-artifacts.rwo.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: build-artifacts-rwo -spec: - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce ---- -# Source: pipelines/templates/persistent-volume-claims/gitrepos.rwo.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: gitrepos-rwo -spec: - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce ---- -# Source: pipelines/templates/pipeline-from-manuela-ci-to-manuela-tst-all.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: admin - namespace: manuela-tst-all -subjects: - - kind: ServiceAccount - name: pipeline - namespace: manuela-ci -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin ---- -# Source: pipelines/templates/pipelines/build-and-test-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - name: argocd-env-secret - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - #value: datacenter-gitops-server.industrial-edge-datacenter.svc - value: "factory-gitops-server.mypattern-factory.svc" - - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version-iot-anomaly.results.image-tag) -p CONFIGMAP_PREFIX=IOT_ANOMALY -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection -p COMPONENT_NAME=iot-anomaly-detection - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-anomaly-detection ---- -# Source: pipelines/templates/pipelines/build-and-test-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - name: argocd-env-secret - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - #value: datacenter-gitops-server.industrial-edge-datacenter.svc - value: "factory-gitops-server.mypattern-factory.svc" - - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version-iot-consumer.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer ---- -# Source: pipelines/templates/pipelines/build-and-test.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test -spec: - workspaces: - - name: gitrepos - - name: config - - name: argocd-env-secret - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: build-base-images - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-base-images - - --param - - PATH_CONTEXT=tekton/images/httpd-ionic - - --param - - DEV_REVISION=$(params.DEV_REVISION) - - --param - - OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY=IMAGE_PROVIDER - - --param - - OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY=IMAGE_ACCOUNT - - --param - - OUTPUT_IMAGE_NAME=httpd-ionic - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --showlog - - --nocolour - - - name: build-iot-anomaly-detection - runAfter: - - build-base-images - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-anomaly-detection - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-consumer - runAfter: - - build-iot-anomaly-detection - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-consumer - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-frontend - runAfter: - - build-iot-consumer - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-frontend - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-software-sensor - runAfter: - - build-iot-frontend - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-software-sensor - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: git-clone-dev - runAfter: - - build-iot-software-sensor - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-gitops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version - taskRef: - name: bumpversion - runAfter: - - git-clone-gitops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot_consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: build-messaging-image - taskRef: - name: s2i - runAfter: - - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: CHAINED_BUILD_DOCKERFILE - value: "" - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - build-messaging-image -# - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops-test - taskRef: - name: git-commit - runAfter: - - modify-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-test - taskRef: - name: github-push - runAfter: - - commit-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops-test - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - # datacenter-gitops-server.industrial-edge-datacenter.svc - value: "factory-gitops-server.mypattern-factory.svc" - - # - name: sensor-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully sent messages to broker..." - # - name: consumer-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully processed messages from broker..." - # - name: consumer-frontend-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully executed Websocket APIs..." - # - name: e2e-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - sensor-broker-test - # - consumer-broker-test - # - consumer-frontend-test - # params: - # - name: MESSAGE - # value: "e2e testsuite succesfully executed" - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer - # - name: OPENSHIFT_NAMESPACE - # value: manuela-tst-all - # - name: OPENSHIFT_IMAGESTREAM - # value: messaging ---- -# Source: pipelines/templates/pipelines/build-base-images.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-base-images -spec: - workspaces: - - name: gitrepos - - name: config - params: - - name: PATH_CONTEXT - type: string - default: tekton/images/httpd-ionic - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - type: string - default: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - type: string - default: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - type: string - default: httpd-ionic - - name: DEV_REVISION - type: string - default: main - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: buildah-build - taskRef: - name: buildah - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: $(params.PATH_CONTEXT) - - name: TAG - value: latest - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: $(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY) - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: $(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY) - - name: OUTPUT_IMAGE_NAME - value: $(params.OUTPUT_IMAGE_NAME) ---- -# Source: pipelines/templates/pipelines/build-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-frontend.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-frontend -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-frontend - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-frontend - - name: version_file_path - value: components/iot-frontend/VERSION - - - name: s2i-build-iot-frontend - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-frontend - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: CHAINED_BUILD_DOCKERFILE - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - - name: copy-image-to-remote-registry-iot-frontend - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-frontend - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_FRONTEND_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-software-sensor.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-software-sensor -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-software-sensor - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-swsensor - - name: version_file_path - value: components/iot-software-sensor/VERSION - - - name: s2i-build-iot-software-sensor - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - - name: copy-image-to-remote-registry-iot-software-sensor - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-software-sensor - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_SWSENSOR_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/just-pr.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: just-pr -spec: - workspaces: - - name: gitrepos - - name: config - - name: argocd-env-secret - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-gitops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version - taskRef: - name: bumpversion - runAfter: - - git-clone-gitops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot_consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: build-messaging-image - taskRef: - name: s2i - runAfter: - - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: CHAINED_BUILD_DOCKERFILE - value: "" - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - build-messaging-image -# - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops-test - taskRef: - name: git-commit - runAfter: - - modify-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-test - taskRef: - name: github-push - runAfter: - - commit-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops-test - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - # datacenter-gitops-server.industrial-edge-datacenter.svc - value: "factory-gitops-server.mypattern-factory.svc" - # - name: sensor-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully sent messages to broker..." - # - name: consumer-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully processed messages from broker..." - # - name: consumer-frontend-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully executed Websocket APIs..." - # - name: e2e-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - sensor-broker-test - # - consumer-broker-test - # - consumer-frontend-test - # params: - # - name: MESSAGE - # value: "e2e testsuite succesfully executed" - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer - # - name: OPENSHIFT_NAMESPACE - # value: manuela-tst-all - # - name: OPENSHIFT_IMAGESTREAM - # value: messaging ---- -# Source: pipelines/templates/pipelines/seed-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-frontend.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-frontend -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-frontend - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-frontend - - name: version_file_path - value: components/iot-frontend/VERSION - - - name: s2i-build-iot-frontend - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-frontend - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: CHAINED_BUILD_DOCKERFILE - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - - name: copy-image-to-remote-registry-iot-frontend - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-frontend - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_FRONTEND_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-software-sensor.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-software-sensor -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-software-sensor - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-swsensor - - name: version_file_path - value: components/iot-software-sensor/VERSION - - - name: s2i-build-iot-software-sensor - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - - name: copy-image-to-remote-registry-iot-software-sensor - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-software-sensor - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_SWSENSOR_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: build-base-images - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - build-base-images - - --param - - PATH_CONTEXT=tekton/images/httpd-ionic - - --param - - OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY=IMAGE_PROVIDER - - --param - - OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY=IMAGE_ACCOUNT - - --param - - OUTPUT_IMAGE_NAME=http-ionic - - --param - - DEV_REVISION=$(params.DEV_REVISION) - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-anomaly-detection - runAfter: - - build-base-images - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-anomaly-detection - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-consumer - runAfter: - - seed-iot-anomaly-detection - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-consumer - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-frontend - runAfter: - - seed-iot-consumer - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-frontend - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-software-sensor - runAfter: - - seed-iot-frontend - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-software-sensor - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour ---- -# Source: pipelines/templates/pipelines/stage-production.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: stage-production -spec: - workspaces: - - name: gitrepos - - name: config - - name: github-secret - params: - - name: TAG - type: string - - name: SOURCE_IMAGE - type: string - - name: CONFIGMAP_PREFIX - type: string - - tasks: - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_PROD_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: copy-image-to-remote-registry - taskRef: - name: skopeo-copy - runAfter: - - git-clone-ops - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(params.TAG) - - name: SOURCE_IMAGE - value: $(params.SOURCE_IMAGE) - - name: TARGET_IMAGE_CONFIGMAPKEY - value: $(params.CONFIGMAP_PREFIX)_IMAGE - - - name: checkout-staging-branch - taskRef: - name: git-checkout - runAfter: - - copy-image-to-remote-registry - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - name: BRANCH - value: staging-approval - - - name: modify-ops-prod - taskRef: - name: gitops-imagetag - runAfter: - - checkout-staging-branch - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: $(params.CONFIGMAP_PREFIX) - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(params.TAG) - - name: subdirectory - value: ops - - - name: commit-ops-prod - taskRef: - name: git-commit - runAfter: - - modify-ops-prod - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-prod - taskRef: - name: github-push - runAfter: - - commit-ops-prod - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - name: PUSH_FLAGS - value: --set-upstream origin staging-approval - - - name: github-pull-request - taskRef: - name: github-add-pull-request - runAfter: - - push-ops-prod - workspaces: - - name: config - workspace: config - - name: github-secret - workspace: github-secret - params: - - name: GITHUB_REPO_CONFIGMAPKEY - value: GIT_OPS_REPO_PROD_URL - - name: GIT_BRANCH_HEAD - value: staging-approval - - name: GIT_BRANCH_BASE - value: main ---- -# Source: pipelines/templates/pipelines/test-all.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: test-all -spec: - tasks: - - name: sensor-broker-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully sent messages to broker..." - - name: consumer-broker-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully processed messages from broker..." - - name: consumer-frontend-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully executed Websocket APIs..." - - name: e2e-test - taskRef: - name: mock - kind: Task - runAfter: - - sensor-broker-test - - consumer-broker-test - - consumer-frontend-test - params: - - name: MESSAGE - value: "e2e testsuite succesfully executed" - # - name: fail - # taskRef: - # name: fail - # kind: Task - # runAfter: - # - e2e-test ---- -# Source: pipelines/templates/tasks/argocd-sync-and-wait.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: argocd-sync-and-wait -spec: - workspaces: - - name: argocd-env-secret - params: - - name: application-name - type: string - description: name of the application to sync - - name: revision - type: string - description: the revision to sync to - default: main - - name: flags - type: string - default: -- - - name: argocd-version - type: string - default: v1.5.2 - - name: argocd-server - type: string - default: openshift-gitops-server.openshift-gitops.svc - steps: - - name: login-sync-wait - image: argoproj/argocd:$(params.argocd-version) - command: ["/bin/bash", "-c"] - args: - - if [ -z $ARGOCD_AUTH_TOKEN ]; then - yes | argocd login $(params.argocd-server) --grpc-web $(params.flags) --username=$(cat $(workspaces.argocd-env-secret.path)/ARGOCD_USERNAME) --password=$(cat $(workspaces.argocd-env-secret.path)/ARGOCD_PASSWORD); - fi; - - argocd app sync $(params.application-name) --revision $(params.revision) $(params.flags); - - argocd app wait $(params.application-name) --health $(params.flags); ---- -# Source: pipelines/templates/tasks/buildah.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: buildah -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - results: - - name: image - description: The image+tag that was created - params: - - name: PATH_CONTEXT - default: . - description: The location of the path to run s2i from. - type: string - - name: TLSVERIFY - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - type: string - - name: subdirectory - default: "dev" - description: subdirectory in the gitrepos workspace where the dev repo has been cloned to - type: string - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - type: string - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - type: string - - name: OUTPUT_IMAGE_NAME - type: string - - name: TAG - default: latest - type: string - - name: DOCKERFILE - default: Dockerfile - type: string - steps: - - name: build - image: quay.io/buildah/stable:v1.11.0 - script: | - PROVIDER=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY)) - ACCOUNT=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY)) - OUTPUT_IMAGE="$PROVIDER/$ACCOUNT/$(params.OUTPUT_IMAGE_NAME)" - buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f $(params.DOCKERFILE) -t $OUTPUT_IMAGE - resources: {} - securityContext: - privileged: false - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory)/$(params.PATH_CONTEXT) - - name: push - image: quay.io/buildah/stable:v1.11.0 - script: | - PROVIDER=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY)) - ACCOUNT=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY)) - OUTPUT_IMAGE="$PROVIDER/$ACCOUNT/$(params.OUTPUT_IMAGE_NAME)" - buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) $OUTPUT_IMAGE docker://$OUTPUT_IMAGE:$(params.TAG) - echo -n "$OUTPUT_IMAGE:$(params.TAG)" >$(results.image.path) - resources: {} - securityContext: - privileged: false - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - volumes: - - emptyDir: {} - name: varlibcontainers ---- -# Source: pipelines/templates/tasks/bumpversion.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: bumpversion -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "dev" - - name: component_name - description: component name - type: string - - name: version_file_path - description: path within subdirectory where the base VERSION of the component resides - type: string - results: - - name: image-tag - description: the new build version based on the last tags and VERSION file - - name: git-tag - description: the new build version based on the last tags and VERSION file - steps: - - name: current-tag - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - VERSION_GLOB="build-$(params.component_name)-$(cat $(params.version_file_path))-*" - - # existing tag based on glob - LAST_TAG=$(git tag --sort "version:refname" -l $VERSION_GLOB | tail -n 1) - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] ; then - exit $EXIT_CODE - fi - - # if tag doesn't exist, create new one - if [ "$LAST_TAG" == "" ] ; then - LAST_TAG="build-$(params.component_name)-$(cat $(params.version_file_path))-0" - fi - - # Make sure we don't add a trailing newline to the result! - echo -n "$LAST_TAG" >/scratch/VERSION - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: bump-tag - image: quay.io/hybridcloudpatterns/bumpversiontask:latest - script: | - cd /scratch - echo -e "[bumpversion]\ncurrent_version = $(cat VERSION)" >.bumpversion.cfg - cat <>.bumpversion.cfg - commit = False - tag = False - parse = (?P.*)\-(?P\d+)\.(?P\d+)\.(?P\d+)\-(?P\d+) - serialize = {prefix}-{major}.{minor}.{patch}-{build:03d} - - [bumpversion:part:build] - - [bumpversion:file:VERSION] - EOF - - bump2version build /scratch/VERSION - - sed "s/build-$(params.component_name)-//" /scratch/VERSION >$(results.image-tag.path) - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: tag-repo - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - VERSION=$(cat /scratch/VERSION) - git tag $VERSION - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] ; then - exit $EXIT_CODE - fi - echo -n "$VERSION" > $(results.git-tag.path) - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - volumes: - - emptyDir: {} - name: scratch ---- -# Source: pipelines/templates/tasks/cleanup.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: cleanup -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: dev - - name: COMPONENT_NAME - description: component name - type: string - - name: NUMBER_OF_TAGS_TO_KEEP - type: string - default: "5" - - name: GITHUB_USERNAME_CONFIGMAPKEY - default: user - type: string - - name: GITHUB_TOKEN_CONFIGMAPKEY - default: token - type: string - # - name: OPENSHIFT_NAMESPACE - # default: manuela-tst-all - # type: string - # - name: OPENSHIFT_IMAGESTREAM - # default: messaging - # type: string - steps: - - name: cleanup-git-tags - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - #list build tags for component in repo - BUILD_TAG_GLOB="build-$(params.COMPONENT_NAME)-*" - git tag --sort "version:refname" -l $BUILD_TAG_GLOB >/scratch/tags - - #identify build tags to keep - tail -n $(params.NUMBER_OF_TAGS_TO_KEEP) /scratch/tags >/scratch/keep - - #identify build tags to be deleted - diff /scratch/tags /scratch/keep | grep \^-build | cut -c2- > /scratch/delete - - #delete build tags - for TAG in $(cat /scratch/delete); do - git push origin :$TAG - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - done - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - # - name: cleanup-test-images - # image: quay.io/openshift/origin-cli:latest - # script: | - # oc get is -n $(params.OPENSHIFT_NAMESPACE) $(params.OPENSHIFT_IMAGESTREAM) -o jsonpath='{.status.tags..tag}' | tr " " "\n" | grep build- | comm -23 - /scratch/keep >/scratch/delete_istags - # EXIT_CODE="$?" - # if [ "$EXIT_CODE" != 0 ] - # then - # exit $EXIT_CODE - # fi - # for TAG in $(cat /scratch/delete_istags); do - # oc tag -n $(params.OPENSHIFT_NAMESPACE) -d $(params.OPENSHIFT_IMAGESTREAM):$TAG - # EXIT_CODE="$?" - # if [ "$EXIT_CODE" != 0 ] - # then - # exit $EXIT_CODE - # fi - # done - # volumeMounts: - # - mountPath: /scratch - # name: scratch - # workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - volumes: - - emptyDir: {} - name: scratch ---- -# Source: pipelines/templates/tasks/fail.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: fail -spec: - steps: - - name: fail - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - exit 1 ---- -# Source: pipelines/templates/tasks/git-checkout.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-checkout -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: BRANCH - description: branch to check out or to create - type: string - default: main - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - results: - - name: commit - description: The precise commit SHA that is HEAD of the checked out branch - steps: - - name: checkout - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - BRANCH=$(params.BRANCH) - git checkout -q --track -b $BRANCH origin/$BRANCH 2>&1 || git checkout -q -b $BRANCH 2>&1 - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - # Make sure we don't add a trailing newline to the result! - echo -n "$RESULT_SHA" > $(results.commit.path) - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/git-clone-with-tags.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-clone-with-tags -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: url_configmapkey - description: git url to clone - type: string - - name: revision - description: git revision to checkout (branch, tag, sha, ref…) - type: string - default: main - - name: submodules - description: defines if the resource should initialize and fetch the submodules - type: string - default: "true" - - name: depth - description: performs a shallow clone where only the most recent commit(s) will be fetched - type: string - default: "1" - - name: sslVerify - description: defines if http.sslVerify should be set to true or false in the global git config - type: string - default: "true" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "" - - name: deleteExisting - description: clean out the contents of the repo's destination directory (if it already exists) before trying to clone the repo there - type: string - default: "false" - results: - - name: commit - description: The precise commit SHA that was fetched by this Task - steps: - - name: clone - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - CHECKOUT_DIR="$(workspaces.gitrepos.path)/$(params.subdirectory)" - - cleandir() { - # Delete any existing contents of the repo directory if it exists. - # - # We don't just "rm -rf $CHECKOUT_DIR" because $CHECKOUT_DIR might be "/" - # or the root of a mounted volume. - if [[ -d "$CHECKOUT_DIR" ]] ; then - # Delete non-hidden files and directories - rm -rf "$CHECKOUT_DIR"/* - # Delete files and directories starting with . but excluding .. - rm -rf "$CHECKOUT_DIR"/.[!.]* - # Delete files and directories starting with .. plus any other character - rm -rf "$CHECKOUT_DIR"/..?* - fi - } - - if [[ "$(params.deleteExisting)" == "true" ]] ; then - cleandir - fi - - /ko-app/git-init \ - -url "$(cat $(workspaces.config.path)/$(params.url_configmapkey))" \ - -revision "$(params.revision)" \ - -path "$CHECKOUT_DIR" \ - -sslVerify="$(params.sslVerify)" \ - -submodules="$(params.submodules)" \ - -depth="$(params.depth)" - cd "$CHECKOUT_DIR" - - git fetch --tags - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - # Seems the go git client checks out master regardless. This allows for 'main' or another branch to be used - git checkout $(params.revision) - git branch --set-upstream-to=origin/$(params.revision) - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - # Make sure we don't add a trailing newline to the result! - echo -n "$RESULT_SHA" > $(results.commit.path) ---- -# Source: pipelines/templates/tasks/git-commit.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-commit -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: GIT_EMAIL_CONFIGMAPKEY - default: GIT_EMAIL - type: string - - name: MESSAGE - description: commit message - type: string - default: "change made by Tekton task" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - steps: - - name: commit - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - git diff - git config --global user.email "$(cat $(workspaces.config.path)/$(params.GIT_EMAIL_CONFIGMAPKEY))" - git config --global user.name "Tekton Automation" - git add . - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - #only commit if there is something which has changed - git diff --staged --quiet || git commit -m "$(params.MESSAGE)" - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/github-add-pull-request.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: github-add-pull-request -spec: - workspaces: - - name: config - - name: github-secret - params: - - name: PULL_REQUEST_BODY - description: The body to be used for the pull request - type: string - default: "" - - name: PULL_REQUEST_TITLE - description: Title of the pull request - type: string - default: "Pull request created by Tekton task github-add-pull-request" - - name: GITHUB_REPO_CONFIGMAPKEY - description: The github owner/repo to use - type: string - - name: GIT_BRANCH_HEAD - description: The branch to pull from - type: string - default: approve - - name: GIT_BRANCH_BASE - description: The branch to pull into - type: string - default: main - steps: - - name: create-pull-request - image: curlimages/curl - script: | - GITREPO=$(cat $(workspaces.config.path)/$(params.GITHUB_REPO_CONFIGMAPKEY)) - PULLREQUEST_API_ENDPOINT=$(echo -n "$GITREPO" | sed "s|github.com|api.github.com/repos|" | sed "s/\.git$//g")/pulls - curl -v -u :$(cat $(workspaces.github-secret.path)/password) $PULLREQUEST_API_ENDPOINT -d '{"title":"$(params.PULL_REQUEST_TITLE)","body":"$(params.PULL_REQUEST_BODY)","head":"$(params.GIT_BRANCH_HEAD)","base":"$(params.GIT_BRANCH_BASE)"}' ---- -# Source: pipelines/templates/tasks/github-push.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: github-push -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "dev" - - name: PUSH_FLAGS - description: additional flags for git push - type: string - default: "" - steps: - - name: push - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - git remote -v - git branch - git branch -r | grep -q origin/$(git rev-parse --abbrev-ref HEAD) && git pull --ff-only --no-edit - git log -n 2 - git push -v $(params.PUSH_FLAGS) - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/gitops-imagetag.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: gitops-imagetag -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - params: - - name: CONFIGMAP_PREFIX - type: string - - name: ENVIRONMENT - type: string - default: TEST - description: TEST or PROD - - name: TAG - description: the VERSION tag - type: string - - name: TRUNCATE_IMAGESTREAM_TAGS_AFTER - type: string - description: Number of image stream tags to keep - default: "4" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "ops" - steps: - - name: update-tag - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - TAG_VALUE=$(params.TAG) - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - YAML_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_YAML_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_YAML_PATH) : $YAML_PATH" - yq "$YAML_PATH = \"$TAG_VALUE\"" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: update-built-tags - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - TAG_VALUE=$(params.TAG) - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - BUILT_TAGS_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH) : $BUILT_TAGS_PATH" - yq "$BUILT_TAGS_PATH += [ \"$TAG_VALUE\" ]" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: prune-built-tags - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - BUILT_TAGS_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH) : $BUILT_TAGS_PATH" - ARRAY_COUNT=$(yq "$BUILT_TAGS_PATH | length" $VALUES_PATH) - echo $ARRAY_COUNT - if [ "$ARRAY_COUNT" -gt "$(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)" ]; then - MIN_KEY=$(echo | yq "$ARRAY_COUNT - $(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)") - yq "del(${BUILT_TAGS_PATH}[] | select(key < $MIN_KEY))" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - else - echo "$BUILT_TAGS_PATH currently has $ARRAY_COUNT tags, will prune at $(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)" - fi - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/mock.yaml -kind: Task -apiVersion: tekton.dev/v1beta1 -metadata: - name: mock -spec: - params: - - name: MESSAGE - type: string - description: | - The message to echo. - default: "Hello from mock-task" - steps: - - image: node # contains node - script: | - #!/usr/bin/env node - console.log("$(params.MESSAGE)") ---- -# Source: pipelines/templates/tasks/openshift-instantiate-template.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: openshift-instantiate-template -spec: - params: - - name: TEMPLATE - type: string - - name: PARAMS - type: string - steps: - - name: instantiate-template - image: quay.io/openshift/origin-cli:latest - script: | - oc process $(params.TEMPLATE) $(params.PARAMS) | oc create -f - ---- -# Source: pipelines/templates/tasks/s2i.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: s2i -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: build-artifacts - description: The maven repo for java builds - results: - - name: image - description: The image+tag that was created - params: - - name: BUILDER_IMAGE - description: The location of the s2i builder image. - type: string - - name: PATH_CONTEXT - default: . - description: The location of the path to run s2i from. - type: string - - name: TLSVERIFY - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - type: string - - name: LOGLEVEL - default: "0" - description: Log level when running the S2I binary - type: string - - name: subdirectory - default: "dev" - description: subdirectory in the gitrepos workspace where the dev repo has been cloned to - type: string - - name: OUTPUT_IMAGE - type: string - - name: TAG - default: latest - type: string -# only for java builds - - name: MAVEN_ARGS_APPEND - default: "" - description: Additional Maven arguments - type: string - - name: MAVEN_CLEAR_REPO - default: "false" - description: Remove the Maven repository after the artifact is built - type: string - - name: MAVEN_MIRROR_URL - default: "" - description: The base URL of a mirror used for retrieving artifacts - type: string - - name: CHAINED_BUILD_DOCKERFILE - default: "" - description: If a chained build is to be executed, the second part of the DOCKERFILE - type: string - steps: - - name: prepare-env - image: quay.io/openshift-pipeline/s2i - script: | - if [[ "$(params.BUILDER_IMAGE)" == *"jdk"* ]] || [[ "$(params.BUILDER_IMAGE)" == *"java"* ]]; then - echo "MAVEN_CLEAR_REPO=$(params.MAVEN_CLEAR_REPO)" > env-file - - [[ '$(params.MAVEN_ARGS_APPEND)' != "" ]] && - echo "MAVEN_ARGS_APPEND=$(params.MAVEN_ARGS_APPEND)" >> env-file - - [[ '$(params.MAVEN_MIRROR_URL)' != "" ]] && - echo "MAVEN_MIRROR_URL=$(params.MAVEN_MIRROR_URL)" >> env-file - - #create build artifacts cache directory - if [[ ! -d $(workspaces.build-artifacts.path)/m2 ]]; then - mkdir $(workspaces.build-artifacts.path)/m2 - chmod a+rwx $(workspaces.build-artifacts.path)/m2 - fi - echo "MAVEN_LOCAL_REPO=/ba/m2" >> env-file - - echo "Generated Env file" - echo "------------------------------" - cat env-file - echo "------------------------------" - - echo "s2i build --loglevel=$(params.LOGLEVEL) $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-params/env-file" >s2icommand - echo "buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f /gen-source/Dockerfile.gen -t `basename $(params.OUTPUT_IMAGE)` -v $(workspaces.build-artifacts.path)/m2:/ba/m2 ." >buildahcommand - fi - volumeMounts: - - mountPath: /env-params - name: envparams - workingDir: /env-params - - name: generate - image: quay.io/openshift-pipeline/s2i - # command: - # - s2i - # - build - # - --loglevel=$(params.LOGLEVEL) - # - $(params.PATH_CONTEXT) - # - $(params.BUILDER_IMAGE) - # - --as-dockerfile - # - /gen-source/Dockerfile.gen - script: | - if [ -f /env-params/s2icommand ]; then - source /env-params/s2icommand - else - s2i build --loglevel=$(params.LOGLEVEL) $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) --as-dockerfile /gen-source/Dockerfile.gen - fi - if [[ -n "$(params.CHAINED_BUILD_DOCKERFILE)" ]]; then - echo "$(params.CHAINED_BUILD_DOCKERFILE)" >>/gen-source/Dockerfile.gen - fi - resources: {} - volumeMounts: - - mountPath: /gen-source - name: gen-source - - mountPath: /env-params - name: envparams - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: build - image: quay.io/buildah/stable:v1.11.0 - script: | - if [ -f /env-params/buildahcommand ]; then - source /env-params/buildahcommand - else - buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f /gen-source/Dockerfile.gen -t `basename $(params.OUTPUT_IMAGE)` . - fi - resources: {} - securityContext: - privileged: false # LRC Changed from true - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /gen-source - name: gen-source - - mountPath: /env-params - name: envparams - workingDir: /gen-source - - name: push - image: quay.io/buildah/stable:v1.11.0 - script: | - buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) `basename $(params.OUTPUT_IMAGE)` docker://$(params.OUTPUT_IMAGE):$(params.TAG) - echo -n "$(params.OUTPUT_IMAGE):$(params.TAG)" >$(results.image.path) - resources: {} - securityContext: - privileged: false # LRC Changed from true - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - volumes: - - emptyDir: {} - name: varlibcontainers - - emptyDir: {} - name: gen-source - - emptyDir: {} - name: envparams ---- -# Source: pipelines/templates/tasks/skopeo-copy.yaml -kind: Task -apiVersion: tekton.dev/v1beta1 -metadata: - name: skopeo-copy -spec: - workspaces: - - name: config - description: configmap contents - params: - - name: TAG - type: string - - name: SOURCE_IMAGE - type: string - - name: TARGET_IMAGE_CONFIGMAPKEY - type: string - steps: - - name: skopeo-copy - image: quay.io/redhat-emea-ssa-team/skopeo-ubi:latest - script: | - skopeo copy --src-tls-verify=false --dest-tls-verify=false docker://$(params.SOURCE_IMAGE):$(params.TAG) docker://$(cat $(workspaces.config.path)/IMAGE_PROVIDER)/$(cat $(workspaces.config.path)/IMAGE_ACCOUNT)/$(cat $(workspaces.config.path)/$(params.TARGET_IMAGE_CONFIGMAPKEY)):$(params.TAG) ---- -# Source: pipelines/templates/tasks/tkn.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: tkn -spec: - params: - - name: tkn-image - description: tkn CLI container image to run this task - default: gcr.io/tekton-releases/dogfooding/tkn - - name: ARGS - type: array - description: tkn CLI arguments to run - steps: - - name: tkn - image: "$(params.tkn-image)" - command: ["/usr/local/bin/tkn"] - args: ["$(params.ARGS)"] ---- -# Source: pipelines/templates/templates/build-image-bumpversion.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-bumpversion -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-bumpversion- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Mi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/bumpversiontask - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: bumpversion ---- -# Source: pipelines/templates/templates/build-image-httpd-ionic.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-httpd-ionic -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-httpd-ionic- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Gi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/httpd-ionic - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: httpd-ionic ---- -# Source: pipelines/templates/templates/build-image-pushprox.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-pushprox -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-pushprox- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Mi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/pushprox - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: pushprox - - name: DEV_REVISION - value: pushprox ---- -# Source: pipelines/templates/templates/build-iot-anomaly-detection.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-anomaly-detection -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-anomaly-detection- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-anomaly-detection - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: COMPONENT_NAME - value: iot-anomaly - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY ---- -# Source: pipelines/templates/templates/build-iot-consumer.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-consumer -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-consumer- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-consumer - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: PATH_CONTEXT - value: components/iot-consumer - - name: COMPONENT_NAME - value: iot-consumer - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER ---- -# Source: pipelines/templates/templates/build-iot-frontend.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-frontend -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-frontend- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-frontend - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: PATH_CONTEXT - value: components/iot-frontend - - name: COMPONENT_NAME - value: iot-frontend - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: CHAINED_BUILD_DOCKERFILE - #value: "FROM centos/httpd-24-centos7\nCOPY --from=0 /opt/app-root/output /var/www/html/" - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" ---- -# Source: pipelines/templates/templates/build-iot-software-sensor-quarkus.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-software-sensor-quarkus -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-software-sensor-quarkus- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-software-sensor - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/quarkus/ubi-quarkus-native-s2i:19.3.1-java11 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: PATH_CONTEXT - value: components/iot-software-sensor-quarkus - - name: COMPONENT_NAME - value: iot-swsensor - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR ---- -# Source: pipelines/templates/templates/build-iot-software-sensor.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-software-sensor -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-software-sensor- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-software-sensor - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: COMPONENT_NAME - value: iot-swsensor - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR ---- -# Source: pipelines/templates/templates/seed.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: seed -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: seed- - spec: - pipelineRef: - name: seed - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-consumer - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: pipelines/templates/templates/stage-production-pipelinerun.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: stage-production-pipelinerun -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: stage-production-${COMPONENT_NAME}- - spec: - pipelineRef: - name: stage-production - params: - - name: TAG - value: ${TAG} - - name: SOURCE_IMAGE - value: ${SOURCE_IMAGE} - - name: CONFIGMAP_PREFIX - value: ${CONFIGMAP_PREFIX} - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: github-secret - secret: - secretName: git-repo-credentials - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - # persistentVolumeClaim: - # claimName: stage-production -parameters: -- name: TAG -- name: SOURCE_IMAGE -- name: CONFIGMAP_PREFIX -- name: COMPONENT_NAME diff --git a/tests/datacenter-pipelines-industrial-edge-hub.expected.yaml b/tests/datacenter-pipelines-industrial-edge-hub.expected.yaml deleted file mode 100644 index 030238dcf..000000000 --- a/tests/datacenter-pipelines-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,4257 +0,0 @@ ---- -# Source: pipelines/templates/configmaps/environment.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: environment -data: - DESCRIPTION: "Config keys for openshift-pipelines" - IMAGE_PROVIDER: quay.io - IMAGE_ACCOUNT: PLAINTEXT - GIT_EMAIL: SOMEWHERE@EXAMPLE.COM - GIT_DEV_REPO_URL: https://github.com/PLAINTEXT/manuela-dev.git - GIT_DEV_REPO_REVISION: main - GIT_OPS_REPO_TEST_URL: https://github.com/pattern-clone/mypattern - GIT_OPS_REPO_TEST_REVISION: main - GIT_OPS_REPO_PROD_URL: https://github.com/pattern-clone/mypattern - GIT_OPS_REPO_PROD_REVISION: main - IOT_CONSUMER_IMAGE: iot-consumer - IOT_CONSUMER_YAML_PATH: ".iot_consumer.tag" - IOT_CONSUMER_BUILT_TAGS_PATH: .iot_consumer.built_tags - IOT_CONSUMER_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_CONSUMER_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_FRONTEND_IMAGE: iot-frontend - IOT_FRONTEND_YAML_PATH: ".iot_frontend.tag" - IOT_FRONTEND_BUILT_TAGS_PATH: ".iot_frontend.built_tags" - IOT_FRONTEND_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_FRONTEND_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_SWSENSOR_IMAGE: iot-software-sensor - IOT_SWSENSOR_YAML_PATH: ".machine_sensor.tag" - IOT_SWSENSOR_BUILT_TAGS_PATH: .machine_sensor.built_tags - IOT_SWSENSOR_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_SWSENSOR_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_ANOMALY_IMAGE: iot-anomaly-detection - IOT_ANOMALY_YAML_PATH: ".iot_anomaly_detection.tag" - IOT_ANOMALY_BUILT_TAGS_PATH: .iot_anomaly_detection.built_tags - IOT_ANOMALY_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_ANOMALY_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - -# IOT_CONSUMER_IMAGE: iot-consumer -# IOT_CONSUMER_YAML_PATH: 'images(name==messaging).newTag' -# IOT_CONSUMER_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_CONSUMER_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/messaging/messaging-is.yaml -# IOT_FRONTEND_IMAGE: iot-frontend -# IOT_FRONTEND_YAML_PATH: 'images(name==line-dashboard).newTag' -# IOT_FRONTEND_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_FRONTEND_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/line-dashboard/line-dashboard-is.yaml -# IOT_SWSENSOR_IMAGE: iot-software-sensor -# IOT_SWSENSOR_YAML_PATH: 'images(name==machine-sensor).newTag' -# IOT_SWSENSOR_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_SWSENSOR_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/machine-sensor/machine-sensor-is.yaml -# IOT_ANOMALY_IMAGE: iot-anomaly-detection -# IOT_ANOMALY_YAML_PATH: 'images(name==anomaly-detection).newTag' -# IOT_ANOMALY_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_ANOMALY_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/anomaly-detection/anomaly-detection-is.yaml ---- -# Source: pipelines/templates/persistent-volume-claims/build-artifacts.rwo.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: build-artifacts-rwo -spec: - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce ---- -# Source: pipelines/templates/persistent-volume-claims/gitrepos.rwo.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: gitrepos-rwo -spec: - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce ---- -# Source: pipelines/templates/pipeline-from-manuela-ci-to-manuela-tst-all.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: admin - namespace: manuela-tst-all -subjects: - - kind: ServiceAccount - name: pipeline - namespace: manuela-ci -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin ---- -# Source: pipelines/templates/pipelines/build-and-test-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - name: argocd-env-secret - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - #value: datacenter-gitops-server.industrial-edge-datacenter.svc - value: "datacenter-gitops-server.mypattern-datacenter.svc" - - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version-iot-anomaly.results.image-tag) -p CONFIGMAP_PREFIX=IOT_ANOMALY -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection -p COMPONENT_NAME=iot-anomaly-detection - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-anomaly-detection ---- -# Source: pipelines/templates/pipelines/build-and-test-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - name: argocd-env-secret - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - #value: datacenter-gitops-server.industrial-edge-datacenter.svc - value: "datacenter-gitops-server.mypattern-datacenter.svc" - - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version-iot-consumer.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer ---- -# Source: pipelines/templates/pipelines/build-and-test.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test -spec: - workspaces: - - name: gitrepos - - name: config - - name: argocd-env-secret - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: build-base-images - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-base-images - - --param - - PATH_CONTEXT=tekton/images/httpd-ionic - - --param - - DEV_REVISION=$(params.DEV_REVISION) - - --param - - OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY=IMAGE_PROVIDER - - --param - - OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY=IMAGE_ACCOUNT - - --param - - OUTPUT_IMAGE_NAME=httpd-ionic - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --showlog - - --nocolour - - - name: build-iot-anomaly-detection - runAfter: - - build-base-images - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-anomaly-detection - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-consumer - runAfter: - - build-iot-anomaly-detection - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-consumer - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-frontend - runAfter: - - build-iot-consumer - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-frontend - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-software-sensor - runAfter: - - build-iot-frontend - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-software-sensor - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: git-clone-dev - runAfter: - - build-iot-software-sensor - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-gitops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version - taskRef: - name: bumpversion - runAfter: - - git-clone-gitops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot_consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: build-messaging-image - taskRef: - name: s2i - runAfter: - - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: CHAINED_BUILD_DOCKERFILE - value: "" - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - build-messaging-image -# - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops-test - taskRef: - name: git-commit - runAfter: - - modify-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-test - taskRef: - name: github-push - runAfter: - - commit-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops-test - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - # datacenter-gitops-server.industrial-edge-datacenter.svc - value: "datacenter-gitops-server.mypattern-datacenter.svc" - - # - name: sensor-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully sent messages to broker..." - # - name: consumer-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully processed messages from broker..." - # - name: consumer-frontend-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully executed Websocket APIs..." - # - name: e2e-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - sensor-broker-test - # - consumer-broker-test - # - consumer-frontend-test - # params: - # - name: MESSAGE - # value: "e2e testsuite succesfully executed" - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer - # - name: OPENSHIFT_NAMESPACE - # value: manuela-tst-all - # - name: OPENSHIFT_IMAGESTREAM - # value: messaging ---- -# Source: pipelines/templates/pipelines/build-base-images.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-base-images -spec: - workspaces: - - name: gitrepos - - name: config - params: - - name: PATH_CONTEXT - type: string - default: tekton/images/httpd-ionic - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - type: string - default: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - type: string - default: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - type: string - default: httpd-ionic - - name: DEV_REVISION - type: string - default: main - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: buildah-build - taskRef: - name: buildah - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: $(params.PATH_CONTEXT) - - name: TAG - value: latest - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: $(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY) - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: $(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY) - - name: OUTPUT_IMAGE_NAME - value: $(params.OUTPUT_IMAGE_NAME) ---- -# Source: pipelines/templates/pipelines/build-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-frontend.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-frontend -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-frontend - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-frontend - - name: version_file_path - value: components/iot-frontend/VERSION - - - name: s2i-build-iot-frontend - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-frontend - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: CHAINED_BUILD_DOCKERFILE - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - - name: copy-image-to-remote-registry-iot-frontend - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-frontend - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_FRONTEND_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-software-sensor.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-software-sensor -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-software-sensor - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-swsensor - - name: version_file_path - value: components/iot-software-sensor/VERSION - - - name: s2i-build-iot-software-sensor - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - - name: copy-image-to-remote-registry-iot-software-sensor - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-software-sensor - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_SWSENSOR_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/just-pr.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: just-pr -spec: - workspaces: - - name: gitrepos - - name: config - - name: argocd-env-secret - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-gitops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version - taskRef: - name: bumpversion - runAfter: - - git-clone-gitops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot_consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: build-messaging-image - taskRef: - name: s2i - runAfter: - - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: CHAINED_BUILD_DOCKERFILE - value: "" - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - build-messaging-image -# - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops-test - taskRef: - name: git-commit - runAfter: - - modify-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-test - taskRef: - name: github-push - runAfter: - - commit-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops-test - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - # datacenter-gitops-server.industrial-edge-datacenter.svc - value: "datacenter-gitops-server.mypattern-datacenter.svc" - # - name: sensor-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully sent messages to broker..." - # - name: consumer-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully processed messages from broker..." - # - name: consumer-frontend-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully executed Websocket APIs..." - # - name: e2e-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - sensor-broker-test - # - consumer-broker-test - # - consumer-frontend-test - # params: - # - name: MESSAGE - # value: "e2e testsuite succesfully executed" - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer - # - name: OPENSHIFT_NAMESPACE - # value: manuela-tst-all - # - name: OPENSHIFT_IMAGESTREAM - # value: messaging ---- -# Source: pipelines/templates/pipelines/seed-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-frontend.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-frontend -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-frontend - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-frontend - - name: version_file_path - value: components/iot-frontend/VERSION - - - name: s2i-build-iot-frontend - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-frontend - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: CHAINED_BUILD_DOCKERFILE - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - - name: copy-image-to-remote-registry-iot-frontend - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-frontend - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_FRONTEND_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-software-sensor.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-software-sensor -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-software-sensor - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-swsensor - - name: version_file_path - value: components/iot-software-sensor/VERSION - - - name: s2i-build-iot-software-sensor - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - - name: copy-image-to-remote-registry-iot-software-sensor - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-software-sensor - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_SWSENSOR_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: build-base-images - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - build-base-images - - --param - - PATH_CONTEXT=tekton/images/httpd-ionic - - --param - - OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY=IMAGE_PROVIDER - - --param - - OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY=IMAGE_ACCOUNT - - --param - - OUTPUT_IMAGE_NAME=http-ionic - - --param - - DEV_REVISION=$(params.DEV_REVISION) - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-anomaly-detection - runAfter: - - build-base-images - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-anomaly-detection - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-consumer - runAfter: - - seed-iot-anomaly-detection - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-consumer - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-frontend - runAfter: - - seed-iot-consumer - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-frontend - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-software-sensor - runAfter: - - seed-iot-frontend - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-software-sensor - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour ---- -# Source: pipelines/templates/pipelines/stage-production.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: stage-production -spec: - workspaces: - - name: gitrepos - - name: config - - name: github-secret - params: - - name: TAG - type: string - - name: SOURCE_IMAGE - type: string - - name: CONFIGMAP_PREFIX - type: string - - tasks: - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_PROD_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: copy-image-to-remote-registry - taskRef: - name: skopeo-copy - runAfter: - - git-clone-ops - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(params.TAG) - - name: SOURCE_IMAGE - value: $(params.SOURCE_IMAGE) - - name: TARGET_IMAGE_CONFIGMAPKEY - value: $(params.CONFIGMAP_PREFIX)_IMAGE - - - name: checkout-staging-branch - taskRef: - name: git-checkout - runAfter: - - copy-image-to-remote-registry - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - name: BRANCH - value: staging-approval - - - name: modify-ops-prod - taskRef: - name: gitops-imagetag - runAfter: - - checkout-staging-branch - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: $(params.CONFIGMAP_PREFIX) - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(params.TAG) - - name: subdirectory - value: ops - - - name: commit-ops-prod - taskRef: - name: git-commit - runAfter: - - modify-ops-prod - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-prod - taskRef: - name: github-push - runAfter: - - commit-ops-prod - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - name: PUSH_FLAGS - value: --set-upstream origin staging-approval - - - name: github-pull-request - taskRef: - name: github-add-pull-request - runAfter: - - push-ops-prod - workspaces: - - name: config - workspace: config - - name: github-secret - workspace: github-secret - params: - - name: GITHUB_REPO_CONFIGMAPKEY - value: GIT_OPS_REPO_PROD_URL - - name: GIT_BRANCH_HEAD - value: staging-approval - - name: GIT_BRANCH_BASE - value: main ---- -# Source: pipelines/templates/pipelines/test-all.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: test-all -spec: - tasks: - - name: sensor-broker-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully sent messages to broker..." - - name: consumer-broker-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully processed messages from broker..." - - name: consumer-frontend-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully executed Websocket APIs..." - - name: e2e-test - taskRef: - name: mock - kind: Task - runAfter: - - sensor-broker-test - - consumer-broker-test - - consumer-frontend-test - params: - - name: MESSAGE - value: "e2e testsuite succesfully executed" - # - name: fail - # taskRef: - # name: fail - # kind: Task - # runAfter: - # - e2e-test ---- -# Source: pipelines/templates/tasks/argocd-sync-and-wait.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: argocd-sync-and-wait -spec: - workspaces: - - name: argocd-env-secret - params: - - name: application-name - type: string - description: name of the application to sync - - name: revision - type: string - description: the revision to sync to - default: main - - name: flags - type: string - default: -- - - name: argocd-version - type: string - default: v1.5.2 - - name: argocd-server - type: string - default: openshift-gitops-server.openshift-gitops.svc - steps: - - name: login-sync-wait - image: argoproj/argocd:$(params.argocd-version) - command: ["/bin/bash", "-c"] - args: - - if [ -z $ARGOCD_AUTH_TOKEN ]; then - yes | argocd login $(params.argocd-server) --grpc-web $(params.flags) --username=$(cat $(workspaces.argocd-env-secret.path)/ARGOCD_USERNAME) --password=$(cat $(workspaces.argocd-env-secret.path)/ARGOCD_PASSWORD); - fi; - - argocd app sync $(params.application-name) --revision $(params.revision) $(params.flags); - - argocd app wait $(params.application-name) --health $(params.flags); ---- -# Source: pipelines/templates/tasks/buildah.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: buildah -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - results: - - name: image - description: The image+tag that was created - params: - - name: PATH_CONTEXT - default: . - description: The location of the path to run s2i from. - type: string - - name: TLSVERIFY - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - type: string - - name: subdirectory - default: "dev" - description: subdirectory in the gitrepos workspace where the dev repo has been cloned to - type: string - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - type: string - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - type: string - - name: OUTPUT_IMAGE_NAME - type: string - - name: TAG - default: latest - type: string - - name: DOCKERFILE - default: Dockerfile - type: string - steps: - - name: build - image: quay.io/buildah/stable:v1.11.0 - script: | - PROVIDER=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY)) - ACCOUNT=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY)) - OUTPUT_IMAGE="$PROVIDER/$ACCOUNT/$(params.OUTPUT_IMAGE_NAME)" - buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f $(params.DOCKERFILE) -t $OUTPUT_IMAGE - resources: {} - securityContext: - privileged: false - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory)/$(params.PATH_CONTEXT) - - name: push - image: quay.io/buildah/stable:v1.11.0 - script: | - PROVIDER=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY)) - ACCOUNT=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY)) - OUTPUT_IMAGE="$PROVIDER/$ACCOUNT/$(params.OUTPUT_IMAGE_NAME)" - buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) $OUTPUT_IMAGE docker://$OUTPUT_IMAGE:$(params.TAG) - echo -n "$OUTPUT_IMAGE:$(params.TAG)" >$(results.image.path) - resources: {} - securityContext: - privileged: false - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - volumes: - - emptyDir: {} - name: varlibcontainers ---- -# Source: pipelines/templates/tasks/bumpversion.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: bumpversion -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "dev" - - name: component_name - description: component name - type: string - - name: version_file_path - description: path within subdirectory where the base VERSION of the component resides - type: string - results: - - name: image-tag - description: the new build version based on the last tags and VERSION file - - name: git-tag - description: the new build version based on the last tags and VERSION file - steps: - - name: current-tag - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - VERSION_GLOB="build-$(params.component_name)-$(cat $(params.version_file_path))-*" - - # existing tag based on glob - LAST_TAG=$(git tag --sort "version:refname" -l $VERSION_GLOB | tail -n 1) - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] ; then - exit $EXIT_CODE - fi - - # if tag doesn't exist, create new one - if [ "$LAST_TAG" == "" ] ; then - LAST_TAG="build-$(params.component_name)-$(cat $(params.version_file_path))-0" - fi - - # Make sure we don't add a trailing newline to the result! - echo -n "$LAST_TAG" >/scratch/VERSION - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: bump-tag - image: quay.io/hybridcloudpatterns/bumpversiontask:latest - script: | - cd /scratch - echo -e "[bumpversion]\ncurrent_version = $(cat VERSION)" >.bumpversion.cfg - cat <>.bumpversion.cfg - commit = False - tag = False - parse = (?P.*)\-(?P\d+)\.(?P\d+)\.(?P\d+)\-(?P\d+) - serialize = {prefix}-{major}.{minor}.{patch}-{build:03d} - - [bumpversion:part:build] - - [bumpversion:file:VERSION] - EOF - - bump2version build /scratch/VERSION - - sed "s/build-$(params.component_name)-//" /scratch/VERSION >$(results.image-tag.path) - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: tag-repo - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - VERSION=$(cat /scratch/VERSION) - git tag $VERSION - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] ; then - exit $EXIT_CODE - fi - echo -n "$VERSION" > $(results.git-tag.path) - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - volumes: - - emptyDir: {} - name: scratch ---- -# Source: pipelines/templates/tasks/cleanup.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: cleanup -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: dev - - name: COMPONENT_NAME - description: component name - type: string - - name: NUMBER_OF_TAGS_TO_KEEP - type: string - default: "5" - - name: GITHUB_USERNAME_CONFIGMAPKEY - default: user - type: string - - name: GITHUB_TOKEN_CONFIGMAPKEY - default: token - type: string - # - name: OPENSHIFT_NAMESPACE - # default: manuela-tst-all - # type: string - # - name: OPENSHIFT_IMAGESTREAM - # default: messaging - # type: string - steps: - - name: cleanup-git-tags - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - #list build tags for component in repo - BUILD_TAG_GLOB="build-$(params.COMPONENT_NAME)-*" - git tag --sort "version:refname" -l $BUILD_TAG_GLOB >/scratch/tags - - #identify build tags to keep - tail -n $(params.NUMBER_OF_TAGS_TO_KEEP) /scratch/tags >/scratch/keep - - #identify build tags to be deleted - diff /scratch/tags /scratch/keep | grep \^-build | cut -c2- > /scratch/delete - - #delete build tags - for TAG in $(cat /scratch/delete); do - git push origin :$TAG - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - done - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - # - name: cleanup-test-images - # image: quay.io/openshift/origin-cli:latest - # script: | - # oc get is -n $(params.OPENSHIFT_NAMESPACE) $(params.OPENSHIFT_IMAGESTREAM) -o jsonpath='{.status.tags..tag}' | tr " " "\n" | grep build- | comm -23 - /scratch/keep >/scratch/delete_istags - # EXIT_CODE="$?" - # if [ "$EXIT_CODE" != 0 ] - # then - # exit $EXIT_CODE - # fi - # for TAG in $(cat /scratch/delete_istags); do - # oc tag -n $(params.OPENSHIFT_NAMESPACE) -d $(params.OPENSHIFT_IMAGESTREAM):$TAG - # EXIT_CODE="$?" - # if [ "$EXIT_CODE" != 0 ] - # then - # exit $EXIT_CODE - # fi - # done - # volumeMounts: - # - mountPath: /scratch - # name: scratch - # workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - volumes: - - emptyDir: {} - name: scratch ---- -# Source: pipelines/templates/tasks/fail.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: fail -spec: - steps: - - name: fail - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - exit 1 ---- -# Source: pipelines/templates/tasks/git-checkout.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-checkout -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: BRANCH - description: branch to check out or to create - type: string - default: main - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - results: - - name: commit - description: The precise commit SHA that is HEAD of the checked out branch - steps: - - name: checkout - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - BRANCH=$(params.BRANCH) - git checkout -q --track -b $BRANCH origin/$BRANCH 2>&1 || git checkout -q -b $BRANCH 2>&1 - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - # Make sure we don't add a trailing newline to the result! - echo -n "$RESULT_SHA" > $(results.commit.path) - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/git-clone-with-tags.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-clone-with-tags -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: url_configmapkey - description: git url to clone - type: string - - name: revision - description: git revision to checkout (branch, tag, sha, ref…) - type: string - default: main - - name: submodules - description: defines if the resource should initialize and fetch the submodules - type: string - default: "true" - - name: depth - description: performs a shallow clone where only the most recent commit(s) will be fetched - type: string - default: "1" - - name: sslVerify - description: defines if http.sslVerify should be set to true or false in the global git config - type: string - default: "true" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "" - - name: deleteExisting - description: clean out the contents of the repo's destination directory (if it already exists) before trying to clone the repo there - type: string - default: "false" - results: - - name: commit - description: The precise commit SHA that was fetched by this Task - steps: - - name: clone - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - CHECKOUT_DIR="$(workspaces.gitrepos.path)/$(params.subdirectory)" - - cleandir() { - # Delete any existing contents of the repo directory if it exists. - # - # We don't just "rm -rf $CHECKOUT_DIR" because $CHECKOUT_DIR might be "/" - # or the root of a mounted volume. - if [[ -d "$CHECKOUT_DIR" ]] ; then - # Delete non-hidden files and directories - rm -rf "$CHECKOUT_DIR"/* - # Delete files and directories starting with . but excluding .. - rm -rf "$CHECKOUT_DIR"/.[!.]* - # Delete files and directories starting with .. plus any other character - rm -rf "$CHECKOUT_DIR"/..?* - fi - } - - if [[ "$(params.deleteExisting)" == "true" ]] ; then - cleandir - fi - - /ko-app/git-init \ - -url "$(cat $(workspaces.config.path)/$(params.url_configmapkey))" \ - -revision "$(params.revision)" \ - -path "$CHECKOUT_DIR" \ - -sslVerify="$(params.sslVerify)" \ - -submodules="$(params.submodules)" \ - -depth="$(params.depth)" - cd "$CHECKOUT_DIR" - - git fetch --tags - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - # Seems the go git client checks out master regardless. This allows for 'main' or another branch to be used - git checkout $(params.revision) - git branch --set-upstream-to=origin/$(params.revision) - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - # Make sure we don't add a trailing newline to the result! - echo -n "$RESULT_SHA" > $(results.commit.path) ---- -# Source: pipelines/templates/tasks/git-commit.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-commit -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: GIT_EMAIL_CONFIGMAPKEY - default: GIT_EMAIL - type: string - - name: MESSAGE - description: commit message - type: string - default: "change made by Tekton task" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - steps: - - name: commit - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - git diff - git config --global user.email "$(cat $(workspaces.config.path)/$(params.GIT_EMAIL_CONFIGMAPKEY))" - git config --global user.name "Tekton Automation" - git add . - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - #only commit if there is something which has changed - git diff --staged --quiet || git commit -m "$(params.MESSAGE)" - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/github-add-pull-request.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: github-add-pull-request -spec: - workspaces: - - name: config - - name: github-secret - params: - - name: PULL_REQUEST_BODY - description: The body to be used for the pull request - type: string - default: "" - - name: PULL_REQUEST_TITLE - description: Title of the pull request - type: string - default: "Pull request created by Tekton task github-add-pull-request" - - name: GITHUB_REPO_CONFIGMAPKEY - description: The github owner/repo to use - type: string - - name: GIT_BRANCH_HEAD - description: The branch to pull from - type: string - default: approve - - name: GIT_BRANCH_BASE - description: The branch to pull into - type: string - default: main - steps: - - name: create-pull-request - image: curlimages/curl - script: | - GITREPO=$(cat $(workspaces.config.path)/$(params.GITHUB_REPO_CONFIGMAPKEY)) - PULLREQUEST_API_ENDPOINT=$(echo -n "$GITREPO" | sed "s|github.com|api.github.com/repos|" | sed "s/\.git$//g")/pulls - curl -v -u :$(cat $(workspaces.github-secret.path)/password) $PULLREQUEST_API_ENDPOINT -d '{"title":"$(params.PULL_REQUEST_TITLE)","body":"$(params.PULL_REQUEST_BODY)","head":"$(params.GIT_BRANCH_HEAD)","base":"$(params.GIT_BRANCH_BASE)"}' ---- -# Source: pipelines/templates/tasks/github-push.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: github-push -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "dev" - - name: PUSH_FLAGS - description: additional flags for git push - type: string - default: "" - steps: - - name: push - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - git remote -v - git branch - git branch -r | grep -q origin/$(git rev-parse --abbrev-ref HEAD) && git pull --ff-only --no-edit - git log -n 2 - git push -v $(params.PUSH_FLAGS) - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/gitops-imagetag.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: gitops-imagetag -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - params: - - name: CONFIGMAP_PREFIX - type: string - - name: ENVIRONMENT - type: string - default: TEST - description: TEST or PROD - - name: TAG - description: the VERSION tag - type: string - - name: TRUNCATE_IMAGESTREAM_TAGS_AFTER - type: string - description: Number of image stream tags to keep - default: "4" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "ops" - steps: - - name: update-tag - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - TAG_VALUE=$(params.TAG) - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - YAML_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_YAML_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_YAML_PATH) : $YAML_PATH" - yq "$YAML_PATH = \"$TAG_VALUE\"" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: update-built-tags - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - TAG_VALUE=$(params.TAG) - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - BUILT_TAGS_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH) : $BUILT_TAGS_PATH" - yq "$BUILT_TAGS_PATH += [ \"$TAG_VALUE\" ]" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: prune-built-tags - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - BUILT_TAGS_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH) : $BUILT_TAGS_PATH" - ARRAY_COUNT=$(yq "$BUILT_TAGS_PATH | length" $VALUES_PATH) - echo $ARRAY_COUNT - if [ "$ARRAY_COUNT" -gt "$(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)" ]; then - MIN_KEY=$(echo | yq "$ARRAY_COUNT - $(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)") - yq "del(${BUILT_TAGS_PATH}[] | select(key < $MIN_KEY))" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - else - echo "$BUILT_TAGS_PATH currently has $ARRAY_COUNT tags, will prune at $(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)" - fi - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/mock.yaml -kind: Task -apiVersion: tekton.dev/v1beta1 -metadata: - name: mock -spec: - params: - - name: MESSAGE - type: string - description: | - The message to echo. - default: "Hello from mock-task" - steps: - - image: node # contains node - script: | - #!/usr/bin/env node - console.log("$(params.MESSAGE)") ---- -# Source: pipelines/templates/tasks/openshift-instantiate-template.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: openshift-instantiate-template -spec: - params: - - name: TEMPLATE - type: string - - name: PARAMS - type: string - steps: - - name: instantiate-template - image: quay.io/openshift/origin-cli:latest - script: | - oc process $(params.TEMPLATE) $(params.PARAMS) | oc create -f - ---- -# Source: pipelines/templates/tasks/s2i.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: s2i -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: build-artifacts - description: The maven repo for java builds - results: - - name: image - description: The image+tag that was created - params: - - name: BUILDER_IMAGE - description: The location of the s2i builder image. - type: string - - name: PATH_CONTEXT - default: . - description: The location of the path to run s2i from. - type: string - - name: TLSVERIFY - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - type: string - - name: LOGLEVEL - default: "0" - description: Log level when running the S2I binary - type: string - - name: subdirectory - default: "dev" - description: subdirectory in the gitrepos workspace where the dev repo has been cloned to - type: string - - name: OUTPUT_IMAGE - type: string - - name: TAG - default: latest - type: string -# only for java builds - - name: MAVEN_ARGS_APPEND - default: "" - description: Additional Maven arguments - type: string - - name: MAVEN_CLEAR_REPO - default: "false" - description: Remove the Maven repository after the artifact is built - type: string - - name: MAVEN_MIRROR_URL - default: "" - description: The base URL of a mirror used for retrieving artifacts - type: string - - name: CHAINED_BUILD_DOCKERFILE - default: "" - description: If a chained build is to be executed, the second part of the DOCKERFILE - type: string - steps: - - name: prepare-env - image: quay.io/openshift-pipeline/s2i - script: | - if [[ "$(params.BUILDER_IMAGE)" == *"jdk"* ]] || [[ "$(params.BUILDER_IMAGE)" == *"java"* ]]; then - echo "MAVEN_CLEAR_REPO=$(params.MAVEN_CLEAR_REPO)" > env-file - - [[ '$(params.MAVEN_ARGS_APPEND)' != "" ]] && - echo "MAVEN_ARGS_APPEND=$(params.MAVEN_ARGS_APPEND)" >> env-file - - [[ '$(params.MAVEN_MIRROR_URL)' != "" ]] && - echo "MAVEN_MIRROR_URL=$(params.MAVEN_MIRROR_URL)" >> env-file - - #create build artifacts cache directory - if [[ ! -d $(workspaces.build-artifacts.path)/m2 ]]; then - mkdir $(workspaces.build-artifacts.path)/m2 - chmod a+rwx $(workspaces.build-artifacts.path)/m2 - fi - echo "MAVEN_LOCAL_REPO=/ba/m2" >> env-file - - echo "Generated Env file" - echo "------------------------------" - cat env-file - echo "------------------------------" - - echo "s2i build --loglevel=$(params.LOGLEVEL) $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-params/env-file" >s2icommand - echo "buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f /gen-source/Dockerfile.gen -t `basename $(params.OUTPUT_IMAGE)` -v $(workspaces.build-artifacts.path)/m2:/ba/m2 ." >buildahcommand - fi - volumeMounts: - - mountPath: /env-params - name: envparams - workingDir: /env-params - - name: generate - image: quay.io/openshift-pipeline/s2i - # command: - # - s2i - # - build - # - --loglevel=$(params.LOGLEVEL) - # - $(params.PATH_CONTEXT) - # - $(params.BUILDER_IMAGE) - # - --as-dockerfile - # - /gen-source/Dockerfile.gen - script: | - if [ -f /env-params/s2icommand ]; then - source /env-params/s2icommand - else - s2i build --loglevel=$(params.LOGLEVEL) $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) --as-dockerfile /gen-source/Dockerfile.gen - fi - if [[ -n "$(params.CHAINED_BUILD_DOCKERFILE)" ]]; then - echo "$(params.CHAINED_BUILD_DOCKERFILE)" >>/gen-source/Dockerfile.gen - fi - resources: {} - volumeMounts: - - mountPath: /gen-source - name: gen-source - - mountPath: /env-params - name: envparams - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: build - image: quay.io/buildah/stable:v1.11.0 - script: | - if [ -f /env-params/buildahcommand ]; then - source /env-params/buildahcommand - else - buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f /gen-source/Dockerfile.gen -t `basename $(params.OUTPUT_IMAGE)` . - fi - resources: {} - securityContext: - privileged: false # LRC Changed from true - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /gen-source - name: gen-source - - mountPath: /env-params - name: envparams - workingDir: /gen-source - - name: push - image: quay.io/buildah/stable:v1.11.0 - script: | - buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) `basename $(params.OUTPUT_IMAGE)` docker://$(params.OUTPUT_IMAGE):$(params.TAG) - echo -n "$(params.OUTPUT_IMAGE):$(params.TAG)" >$(results.image.path) - resources: {} - securityContext: - privileged: false # LRC Changed from true - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - volumes: - - emptyDir: {} - name: varlibcontainers - - emptyDir: {} - name: gen-source - - emptyDir: {} - name: envparams ---- -# Source: pipelines/templates/tasks/skopeo-copy.yaml -kind: Task -apiVersion: tekton.dev/v1beta1 -metadata: - name: skopeo-copy -spec: - workspaces: - - name: config - description: configmap contents - params: - - name: TAG - type: string - - name: SOURCE_IMAGE - type: string - - name: TARGET_IMAGE_CONFIGMAPKEY - type: string - steps: - - name: skopeo-copy - image: quay.io/redhat-emea-ssa-team/skopeo-ubi:latest - script: | - skopeo copy --src-tls-verify=false --dest-tls-verify=false docker://$(params.SOURCE_IMAGE):$(params.TAG) docker://$(cat $(workspaces.config.path)/IMAGE_PROVIDER)/$(cat $(workspaces.config.path)/IMAGE_ACCOUNT)/$(cat $(workspaces.config.path)/$(params.TARGET_IMAGE_CONFIGMAPKEY)):$(params.TAG) ---- -# Source: pipelines/templates/tasks/tkn.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: tkn -spec: - params: - - name: tkn-image - description: tkn CLI container image to run this task - default: gcr.io/tekton-releases/dogfooding/tkn - - name: ARGS - type: array - description: tkn CLI arguments to run - steps: - - name: tkn - image: "$(params.tkn-image)" - command: ["/usr/local/bin/tkn"] - args: ["$(params.ARGS)"] ---- -# Source: pipelines/templates/templates/build-image-bumpversion.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-bumpversion -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-bumpversion- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Mi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/bumpversiontask - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: bumpversion ---- -# Source: pipelines/templates/templates/build-image-httpd-ionic.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-httpd-ionic -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-httpd-ionic- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Gi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/httpd-ionic - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: httpd-ionic ---- -# Source: pipelines/templates/templates/build-image-pushprox.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-pushprox -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-pushprox- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Mi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/pushprox - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: pushprox - - name: DEV_REVISION - value: pushprox ---- -# Source: pipelines/templates/templates/build-iot-anomaly-detection.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-anomaly-detection -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-anomaly-detection- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-anomaly-detection - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: COMPONENT_NAME - value: iot-anomaly - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY ---- -# Source: pipelines/templates/templates/build-iot-consumer.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-consumer -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-consumer- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-consumer - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: PATH_CONTEXT - value: components/iot-consumer - - name: COMPONENT_NAME - value: iot-consumer - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER ---- -# Source: pipelines/templates/templates/build-iot-frontend.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-frontend -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-frontend- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-frontend - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: PATH_CONTEXT - value: components/iot-frontend - - name: COMPONENT_NAME - value: iot-frontend - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: CHAINED_BUILD_DOCKERFILE - #value: "FROM centos/httpd-24-centos7\nCOPY --from=0 /opt/app-root/output /var/www/html/" - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" ---- -# Source: pipelines/templates/templates/build-iot-software-sensor-quarkus.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-software-sensor-quarkus -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-software-sensor-quarkus- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-software-sensor - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/quarkus/ubi-quarkus-native-s2i:19.3.1-java11 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: PATH_CONTEXT - value: components/iot-software-sensor-quarkus - - name: COMPONENT_NAME - value: iot-swsensor - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR ---- -# Source: pipelines/templates/templates/build-iot-software-sensor.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-software-sensor -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-software-sensor- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-software-sensor - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: COMPONENT_NAME - value: iot-swsensor - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR ---- -# Source: pipelines/templates/templates/seed.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: seed -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: seed- - spec: - pipelineRef: - name: seed - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-consumer - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: pipelines/templates/templates/stage-production-pipelinerun.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: stage-production-pipelinerun -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: stage-production-${COMPONENT_NAME}- - spec: - pipelineRef: - name: stage-production - params: - - name: TAG - value: ${TAG} - - name: SOURCE_IMAGE - value: ${SOURCE_IMAGE} - - name: CONFIGMAP_PREFIX - value: ${CONFIGMAP_PREFIX} - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: github-secret - secret: - secretName: git-repo-credentials - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - # persistentVolumeClaim: - # claimName: stage-production -parameters: -- name: TAG -- name: SOURCE_IMAGE -- name: CONFIGMAP_PREFIX -- name: COMPONENT_NAME diff --git a/tests/datacenter-pipelines-medical-diagnosis-hub.expected.yaml b/tests/datacenter-pipelines-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index ba8eea927..000000000 --- a/tests/datacenter-pipelines-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,4257 +0,0 @@ ---- -# Source: pipelines/templates/configmaps/environment.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: environment -data: - DESCRIPTION: "Config keys for openshift-pipelines" - IMAGE_PROVIDER: quay.io - IMAGE_ACCOUNT: PLAINTEXT - GIT_EMAIL: SOMEWHERE@EXAMPLE.COM - GIT_DEV_REPO_URL: https://github.com/PLAINTEXT/manuela-dev.git - GIT_DEV_REPO_REVISION: main - GIT_OPS_REPO_TEST_URL: https://github.com/pattern-clone/mypattern - GIT_OPS_REPO_TEST_REVISION: main - GIT_OPS_REPO_PROD_URL: https://github.com/pattern-clone/mypattern - GIT_OPS_REPO_PROD_REVISION: main - IOT_CONSUMER_IMAGE: iot-consumer - IOT_CONSUMER_YAML_PATH: ".iot_consumer.tag" - IOT_CONSUMER_BUILT_TAGS_PATH: .iot_consumer.built_tags - IOT_CONSUMER_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_CONSUMER_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_FRONTEND_IMAGE: iot-frontend - IOT_FRONTEND_YAML_PATH: ".iot_frontend.tag" - IOT_FRONTEND_BUILT_TAGS_PATH: ".iot_frontend.built_tags" - IOT_FRONTEND_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_FRONTEND_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_SWSENSOR_IMAGE: iot-software-sensor - IOT_SWSENSOR_YAML_PATH: ".machine_sensor.tag" - IOT_SWSENSOR_BUILT_TAGS_PATH: .machine_sensor.built_tags - IOT_SWSENSOR_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_SWSENSOR_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_ANOMALY_IMAGE: iot-anomaly-detection - IOT_ANOMALY_YAML_PATH: ".iot_anomaly_detection.tag" - IOT_ANOMALY_BUILT_TAGS_PATH: .iot_anomaly_detection.built_tags - IOT_ANOMALY_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_ANOMALY_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - -# IOT_CONSUMER_IMAGE: iot-consumer -# IOT_CONSUMER_YAML_PATH: 'images(name==messaging).newTag' -# IOT_CONSUMER_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_CONSUMER_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/messaging/messaging-is.yaml -# IOT_FRONTEND_IMAGE: iot-frontend -# IOT_FRONTEND_YAML_PATH: 'images(name==line-dashboard).newTag' -# IOT_FRONTEND_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_FRONTEND_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/line-dashboard/line-dashboard-is.yaml -# IOT_SWSENSOR_IMAGE: iot-software-sensor -# IOT_SWSENSOR_YAML_PATH: 'images(name==machine-sensor).newTag' -# IOT_SWSENSOR_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_SWSENSOR_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/machine-sensor/machine-sensor-is.yaml -# IOT_ANOMALY_IMAGE: iot-anomaly-detection -# IOT_ANOMALY_YAML_PATH: 'images(name==anomaly-detection).newTag' -# IOT_ANOMALY_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_ANOMALY_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/anomaly-detection/anomaly-detection-is.yaml ---- -# Source: pipelines/templates/persistent-volume-claims/build-artifacts.rwo.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: build-artifacts-rwo -spec: - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce ---- -# Source: pipelines/templates/persistent-volume-claims/gitrepos.rwo.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: gitrepos-rwo -spec: - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce ---- -# Source: pipelines/templates/pipeline-from-manuela-ci-to-manuela-tst-all.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: admin - namespace: manuela-tst-all -subjects: - - kind: ServiceAccount - name: pipeline - namespace: manuela-ci -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin ---- -# Source: pipelines/templates/pipelines/build-and-test-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - name: argocd-env-secret - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - #value: datacenter-gitops-server.industrial-edge-datacenter.svc - value: "hub-gitops-server.mypattern-hub.svc" - - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version-iot-anomaly.results.image-tag) -p CONFIGMAP_PREFIX=IOT_ANOMALY -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection -p COMPONENT_NAME=iot-anomaly-detection - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-anomaly-detection ---- -# Source: pipelines/templates/pipelines/build-and-test-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - name: argocd-env-secret - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - #value: datacenter-gitops-server.industrial-edge-datacenter.svc - value: "hub-gitops-server.mypattern-hub.svc" - - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version-iot-consumer.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer ---- -# Source: pipelines/templates/pipelines/build-and-test.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test -spec: - workspaces: - - name: gitrepos - - name: config - - name: argocd-env-secret - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: build-base-images - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-base-images - - --param - - PATH_CONTEXT=tekton/images/httpd-ionic - - --param - - DEV_REVISION=$(params.DEV_REVISION) - - --param - - OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY=IMAGE_PROVIDER - - --param - - OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY=IMAGE_ACCOUNT - - --param - - OUTPUT_IMAGE_NAME=httpd-ionic - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --showlog - - --nocolour - - - name: build-iot-anomaly-detection - runAfter: - - build-base-images - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-anomaly-detection - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-consumer - runAfter: - - build-iot-anomaly-detection - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-consumer - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-frontend - runAfter: - - build-iot-consumer - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-frontend - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-software-sensor - runAfter: - - build-iot-frontend - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-software-sensor - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: git-clone-dev - runAfter: - - build-iot-software-sensor - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-gitops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version - taskRef: - name: bumpversion - runAfter: - - git-clone-gitops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot_consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: build-messaging-image - taskRef: - name: s2i - runAfter: - - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: CHAINED_BUILD_DOCKERFILE - value: "" - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - build-messaging-image -# - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops-test - taskRef: - name: git-commit - runAfter: - - modify-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-test - taskRef: - name: github-push - runAfter: - - commit-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops-test - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - # datacenter-gitops-server.industrial-edge-datacenter.svc - value: "hub-gitops-server.mypattern-hub.svc" - - # - name: sensor-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully sent messages to broker..." - # - name: consumer-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully processed messages from broker..." - # - name: consumer-frontend-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully executed Websocket APIs..." - # - name: e2e-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - sensor-broker-test - # - consumer-broker-test - # - consumer-frontend-test - # params: - # - name: MESSAGE - # value: "e2e testsuite succesfully executed" - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer - # - name: OPENSHIFT_NAMESPACE - # value: manuela-tst-all - # - name: OPENSHIFT_IMAGESTREAM - # value: messaging ---- -# Source: pipelines/templates/pipelines/build-base-images.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-base-images -spec: - workspaces: - - name: gitrepos - - name: config - params: - - name: PATH_CONTEXT - type: string - default: tekton/images/httpd-ionic - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - type: string - default: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - type: string - default: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - type: string - default: httpd-ionic - - name: DEV_REVISION - type: string - default: main - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: buildah-build - taskRef: - name: buildah - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: $(params.PATH_CONTEXT) - - name: TAG - value: latest - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: $(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY) - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: $(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY) - - name: OUTPUT_IMAGE_NAME - value: $(params.OUTPUT_IMAGE_NAME) ---- -# Source: pipelines/templates/pipelines/build-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-frontend.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-frontend -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-frontend - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-frontend - - name: version_file_path - value: components/iot-frontend/VERSION - - - name: s2i-build-iot-frontend - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-frontend - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: CHAINED_BUILD_DOCKERFILE - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - - name: copy-image-to-remote-registry-iot-frontend - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-frontend - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_FRONTEND_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-software-sensor.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-software-sensor -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-software-sensor - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-swsensor - - name: version_file_path - value: components/iot-software-sensor/VERSION - - - name: s2i-build-iot-software-sensor - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - - name: copy-image-to-remote-registry-iot-software-sensor - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-software-sensor - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_SWSENSOR_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/just-pr.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: just-pr -spec: - workspaces: - - name: gitrepos - - name: config - - name: argocd-env-secret - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-gitops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version - taskRef: - name: bumpversion - runAfter: - - git-clone-gitops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot_consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: build-messaging-image - taskRef: - name: s2i - runAfter: - - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: CHAINED_BUILD_DOCKERFILE - value: "" - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - build-messaging-image -# - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops-test - taskRef: - name: git-commit - runAfter: - - modify-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-test - taskRef: - name: github-push - runAfter: - - commit-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops-test - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - # datacenter-gitops-server.industrial-edge-datacenter.svc - value: "hub-gitops-server.mypattern-hub.svc" - # - name: sensor-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully sent messages to broker..." - # - name: consumer-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully processed messages from broker..." - # - name: consumer-frontend-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully executed Websocket APIs..." - # - name: e2e-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - sensor-broker-test - # - consumer-broker-test - # - consumer-frontend-test - # params: - # - name: MESSAGE - # value: "e2e testsuite succesfully executed" - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer - # - name: OPENSHIFT_NAMESPACE - # value: manuela-tst-all - # - name: OPENSHIFT_IMAGESTREAM - # value: messaging ---- -# Source: pipelines/templates/pipelines/seed-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-frontend.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-frontend -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-frontend - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-frontend - - name: version_file_path - value: components/iot-frontend/VERSION - - - name: s2i-build-iot-frontend - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-frontend - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: CHAINED_BUILD_DOCKERFILE - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - - name: copy-image-to-remote-registry-iot-frontend - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-frontend - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_FRONTEND_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-software-sensor.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-software-sensor -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-software-sensor - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-swsensor - - name: version_file_path - value: components/iot-software-sensor/VERSION - - - name: s2i-build-iot-software-sensor - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - - name: copy-image-to-remote-registry-iot-software-sensor - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-software-sensor - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_SWSENSOR_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: build-base-images - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - build-base-images - - --param - - PATH_CONTEXT=tekton/images/httpd-ionic - - --param - - OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY=IMAGE_PROVIDER - - --param - - OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY=IMAGE_ACCOUNT - - --param - - OUTPUT_IMAGE_NAME=http-ionic - - --param - - DEV_REVISION=$(params.DEV_REVISION) - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-anomaly-detection - runAfter: - - build-base-images - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-anomaly-detection - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-consumer - runAfter: - - seed-iot-anomaly-detection - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-consumer - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-frontend - runAfter: - - seed-iot-consumer - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-frontend - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-software-sensor - runAfter: - - seed-iot-frontend - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-software-sensor - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour ---- -# Source: pipelines/templates/pipelines/stage-production.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: stage-production -spec: - workspaces: - - name: gitrepos - - name: config - - name: github-secret - params: - - name: TAG - type: string - - name: SOURCE_IMAGE - type: string - - name: CONFIGMAP_PREFIX - type: string - - tasks: - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_PROD_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: copy-image-to-remote-registry - taskRef: - name: skopeo-copy - runAfter: - - git-clone-ops - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(params.TAG) - - name: SOURCE_IMAGE - value: $(params.SOURCE_IMAGE) - - name: TARGET_IMAGE_CONFIGMAPKEY - value: $(params.CONFIGMAP_PREFIX)_IMAGE - - - name: checkout-staging-branch - taskRef: - name: git-checkout - runAfter: - - copy-image-to-remote-registry - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - name: BRANCH - value: staging-approval - - - name: modify-ops-prod - taskRef: - name: gitops-imagetag - runAfter: - - checkout-staging-branch - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: $(params.CONFIGMAP_PREFIX) - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(params.TAG) - - name: subdirectory - value: ops - - - name: commit-ops-prod - taskRef: - name: git-commit - runAfter: - - modify-ops-prod - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-prod - taskRef: - name: github-push - runAfter: - - commit-ops-prod - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - name: PUSH_FLAGS - value: --set-upstream origin staging-approval - - - name: github-pull-request - taskRef: - name: github-add-pull-request - runAfter: - - push-ops-prod - workspaces: - - name: config - workspace: config - - name: github-secret - workspace: github-secret - params: - - name: GITHUB_REPO_CONFIGMAPKEY - value: GIT_OPS_REPO_PROD_URL - - name: GIT_BRANCH_HEAD - value: staging-approval - - name: GIT_BRANCH_BASE - value: main ---- -# Source: pipelines/templates/pipelines/test-all.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: test-all -spec: - tasks: - - name: sensor-broker-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully sent messages to broker..." - - name: consumer-broker-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully processed messages from broker..." - - name: consumer-frontend-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully executed Websocket APIs..." - - name: e2e-test - taskRef: - name: mock - kind: Task - runAfter: - - sensor-broker-test - - consumer-broker-test - - consumer-frontend-test - params: - - name: MESSAGE - value: "e2e testsuite succesfully executed" - # - name: fail - # taskRef: - # name: fail - # kind: Task - # runAfter: - # - e2e-test ---- -# Source: pipelines/templates/tasks/argocd-sync-and-wait.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: argocd-sync-and-wait -spec: - workspaces: - - name: argocd-env-secret - params: - - name: application-name - type: string - description: name of the application to sync - - name: revision - type: string - description: the revision to sync to - default: main - - name: flags - type: string - default: -- - - name: argocd-version - type: string - default: v1.5.2 - - name: argocd-server - type: string - default: openshift-gitops-server.openshift-gitops.svc - steps: - - name: login-sync-wait - image: argoproj/argocd:$(params.argocd-version) - command: ["/bin/bash", "-c"] - args: - - if [ -z $ARGOCD_AUTH_TOKEN ]; then - yes | argocd login $(params.argocd-server) --grpc-web $(params.flags) --username=$(cat $(workspaces.argocd-env-secret.path)/ARGOCD_USERNAME) --password=$(cat $(workspaces.argocd-env-secret.path)/ARGOCD_PASSWORD); - fi; - - argocd app sync $(params.application-name) --revision $(params.revision) $(params.flags); - - argocd app wait $(params.application-name) --health $(params.flags); ---- -# Source: pipelines/templates/tasks/buildah.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: buildah -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - results: - - name: image - description: The image+tag that was created - params: - - name: PATH_CONTEXT - default: . - description: The location of the path to run s2i from. - type: string - - name: TLSVERIFY - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - type: string - - name: subdirectory - default: "dev" - description: subdirectory in the gitrepos workspace where the dev repo has been cloned to - type: string - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - type: string - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - type: string - - name: OUTPUT_IMAGE_NAME - type: string - - name: TAG - default: latest - type: string - - name: DOCKERFILE - default: Dockerfile - type: string - steps: - - name: build - image: quay.io/buildah/stable:v1.11.0 - script: | - PROVIDER=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY)) - ACCOUNT=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY)) - OUTPUT_IMAGE="$PROVIDER/$ACCOUNT/$(params.OUTPUT_IMAGE_NAME)" - buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f $(params.DOCKERFILE) -t $OUTPUT_IMAGE - resources: {} - securityContext: - privileged: false - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory)/$(params.PATH_CONTEXT) - - name: push - image: quay.io/buildah/stable:v1.11.0 - script: | - PROVIDER=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY)) - ACCOUNT=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY)) - OUTPUT_IMAGE="$PROVIDER/$ACCOUNT/$(params.OUTPUT_IMAGE_NAME)" - buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) $OUTPUT_IMAGE docker://$OUTPUT_IMAGE:$(params.TAG) - echo -n "$OUTPUT_IMAGE:$(params.TAG)" >$(results.image.path) - resources: {} - securityContext: - privileged: false - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - volumes: - - emptyDir: {} - name: varlibcontainers ---- -# Source: pipelines/templates/tasks/bumpversion.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: bumpversion -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "dev" - - name: component_name - description: component name - type: string - - name: version_file_path - description: path within subdirectory where the base VERSION of the component resides - type: string - results: - - name: image-tag - description: the new build version based on the last tags and VERSION file - - name: git-tag - description: the new build version based on the last tags and VERSION file - steps: - - name: current-tag - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - VERSION_GLOB="build-$(params.component_name)-$(cat $(params.version_file_path))-*" - - # existing tag based on glob - LAST_TAG=$(git tag --sort "version:refname" -l $VERSION_GLOB | tail -n 1) - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] ; then - exit $EXIT_CODE - fi - - # if tag doesn't exist, create new one - if [ "$LAST_TAG" == "" ] ; then - LAST_TAG="build-$(params.component_name)-$(cat $(params.version_file_path))-0" - fi - - # Make sure we don't add a trailing newline to the result! - echo -n "$LAST_TAG" >/scratch/VERSION - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: bump-tag - image: quay.io/hybridcloudpatterns/bumpversiontask:latest - script: | - cd /scratch - echo -e "[bumpversion]\ncurrent_version = $(cat VERSION)" >.bumpversion.cfg - cat <>.bumpversion.cfg - commit = False - tag = False - parse = (?P.*)\-(?P\d+)\.(?P\d+)\.(?P\d+)\-(?P\d+) - serialize = {prefix}-{major}.{minor}.{patch}-{build:03d} - - [bumpversion:part:build] - - [bumpversion:file:VERSION] - EOF - - bump2version build /scratch/VERSION - - sed "s/build-$(params.component_name)-//" /scratch/VERSION >$(results.image-tag.path) - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: tag-repo - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - VERSION=$(cat /scratch/VERSION) - git tag $VERSION - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] ; then - exit $EXIT_CODE - fi - echo -n "$VERSION" > $(results.git-tag.path) - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - volumes: - - emptyDir: {} - name: scratch ---- -# Source: pipelines/templates/tasks/cleanup.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: cleanup -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: dev - - name: COMPONENT_NAME - description: component name - type: string - - name: NUMBER_OF_TAGS_TO_KEEP - type: string - default: "5" - - name: GITHUB_USERNAME_CONFIGMAPKEY - default: user - type: string - - name: GITHUB_TOKEN_CONFIGMAPKEY - default: token - type: string - # - name: OPENSHIFT_NAMESPACE - # default: manuela-tst-all - # type: string - # - name: OPENSHIFT_IMAGESTREAM - # default: messaging - # type: string - steps: - - name: cleanup-git-tags - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - #list build tags for component in repo - BUILD_TAG_GLOB="build-$(params.COMPONENT_NAME)-*" - git tag --sort "version:refname" -l $BUILD_TAG_GLOB >/scratch/tags - - #identify build tags to keep - tail -n $(params.NUMBER_OF_TAGS_TO_KEEP) /scratch/tags >/scratch/keep - - #identify build tags to be deleted - diff /scratch/tags /scratch/keep | grep \^-build | cut -c2- > /scratch/delete - - #delete build tags - for TAG in $(cat /scratch/delete); do - git push origin :$TAG - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - done - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - # - name: cleanup-test-images - # image: quay.io/openshift/origin-cli:latest - # script: | - # oc get is -n $(params.OPENSHIFT_NAMESPACE) $(params.OPENSHIFT_IMAGESTREAM) -o jsonpath='{.status.tags..tag}' | tr " " "\n" | grep build- | comm -23 - /scratch/keep >/scratch/delete_istags - # EXIT_CODE="$?" - # if [ "$EXIT_CODE" != 0 ] - # then - # exit $EXIT_CODE - # fi - # for TAG in $(cat /scratch/delete_istags); do - # oc tag -n $(params.OPENSHIFT_NAMESPACE) -d $(params.OPENSHIFT_IMAGESTREAM):$TAG - # EXIT_CODE="$?" - # if [ "$EXIT_CODE" != 0 ] - # then - # exit $EXIT_CODE - # fi - # done - # volumeMounts: - # - mountPath: /scratch - # name: scratch - # workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - volumes: - - emptyDir: {} - name: scratch ---- -# Source: pipelines/templates/tasks/fail.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: fail -spec: - steps: - - name: fail - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - exit 1 ---- -# Source: pipelines/templates/tasks/git-checkout.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-checkout -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: BRANCH - description: branch to check out or to create - type: string - default: main - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - results: - - name: commit - description: The precise commit SHA that is HEAD of the checked out branch - steps: - - name: checkout - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - BRANCH=$(params.BRANCH) - git checkout -q --track -b $BRANCH origin/$BRANCH 2>&1 || git checkout -q -b $BRANCH 2>&1 - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - # Make sure we don't add a trailing newline to the result! - echo -n "$RESULT_SHA" > $(results.commit.path) - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/git-clone-with-tags.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-clone-with-tags -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: url_configmapkey - description: git url to clone - type: string - - name: revision - description: git revision to checkout (branch, tag, sha, ref…) - type: string - default: main - - name: submodules - description: defines if the resource should initialize and fetch the submodules - type: string - default: "true" - - name: depth - description: performs a shallow clone where only the most recent commit(s) will be fetched - type: string - default: "1" - - name: sslVerify - description: defines if http.sslVerify should be set to true or false in the global git config - type: string - default: "true" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "" - - name: deleteExisting - description: clean out the contents of the repo's destination directory (if it already exists) before trying to clone the repo there - type: string - default: "false" - results: - - name: commit - description: The precise commit SHA that was fetched by this Task - steps: - - name: clone - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - CHECKOUT_DIR="$(workspaces.gitrepos.path)/$(params.subdirectory)" - - cleandir() { - # Delete any existing contents of the repo directory if it exists. - # - # We don't just "rm -rf $CHECKOUT_DIR" because $CHECKOUT_DIR might be "/" - # or the root of a mounted volume. - if [[ -d "$CHECKOUT_DIR" ]] ; then - # Delete non-hidden files and directories - rm -rf "$CHECKOUT_DIR"/* - # Delete files and directories starting with . but excluding .. - rm -rf "$CHECKOUT_DIR"/.[!.]* - # Delete files and directories starting with .. plus any other character - rm -rf "$CHECKOUT_DIR"/..?* - fi - } - - if [[ "$(params.deleteExisting)" == "true" ]] ; then - cleandir - fi - - /ko-app/git-init \ - -url "$(cat $(workspaces.config.path)/$(params.url_configmapkey))" \ - -revision "$(params.revision)" \ - -path "$CHECKOUT_DIR" \ - -sslVerify="$(params.sslVerify)" \ - -submodules="$(params.submodules)" \ - -depth="$(params.depth)" - cd "$CHECKOUT_DIR" - - git fetch --tags - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - # Seems the go git client checks out master regardless. This allows for 'main' or another branch to be used - git checkout $(params.revision) - git branch --set-upstream-to=origin/$(params.revision) - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - # Make sure we don't add a trailing newline to the result! - echo -n "$RESULT_SHA" > $(results.commit.path) ---- -# Source: pipelines/templates/tasks/git-commit.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-commit -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: GIT_EMAIL_CONFIGMAPKEY - default: GIT_EMAIL - type: string - - name: MESSAGE - description: commit message - type: string - default: "change made by Tekton task" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - steps: - - name: commit - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - git diff - git config --global user.email "$(cat $(workspaces.config.path)/$(params.GIT_EMAIL_CONFIGMAPKEY))" - git config --global user.name "Tekton Automation" - git add . - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - #only commit if there is something which has changed - git diff --staged --quiet || git commit -m "$(params.MESSAGE)" - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/github-add-pull-request.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: github-add-pull-request -spec: - workspaces: - - name: config - - name: github-secret - params: - - name: PULL_REQUEST_BODY - description: The body to be used for the pull request - type: string - default: "" - - name: PULL_REQUEST_TITLE - description: Title of the pull request - type: string - default: "Pull request created by Tekton task github-add-pull-request" - - name: GITHUB_REPO_CONFIGMAPKEY - description: The github owner/repo to use - type: string - - name: GIT_BRANCH_HEAD - description: The branch to pull from - type: string - default: approve - - name: GIT_BRANCH_BASE - description: The branch to pull into - type: string - default: main - steps: - - name: create-pull-request - image: curlimages/curl - script: | - GITREPO=$(cat $(workspaces.config.path)/$(params.GITHUB_REPO_CONFIGMAPKEY)) - PULLREQUEST_API_ENDPOINT=$(echo -n "$GITREPO" | sed "s|github.com|api.github.com/repos|" | sed "s/\.git$//g")/pulls - curl -v -u :$(cat $(workspaces.github-secret.path)/password) $PULLREQUEST_API_ENDPOINT -d '{"title":"$(params.PULL_REQUEST_TITLE)","body":"$(params.PULL_REQUEST_BODY)","head":"$(params.GIT_BRANCH_HEAD)","base":"$(params.GIT_BRANCH_BASE)"}' ---- -# Source: pipelines/templates/tasks/github-push.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: github-push -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "dev" - - name: PUSH_FLAGS - description: additional flags for git push - type: string - default: "" - steps: - - name: push - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - git remote -v - git branch - git branch -r | grep -q origin/$(git rev-parse --abbrev-ref HEAD) && git pull --ff-only --no-edit - git log -n 2 - git push -v $(params.PUSH_FLAGS) - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/gitops-imagetag.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: gitops-imagetag -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - params: - - name: CONFIGMAP_PREFIX - type: string - - name: ENVIRONMENT - type: string - default: TEST - description: TEST or PROD - - name: TAG - description: the VERSION tag - type: string - - name: TRUNCATE_IMAGESTREAM_TAGS_AFTER - type: string - description: Number of image stream tags to keep - default: "4" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "ops" - steps: - - name: update-tag - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - TAG_VALUE=$(params.TAG) - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - YAML_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_YAML_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_YAML_PATH) : $YAML_PATH" - yq "$YAML_PATH = \"$TAG_VALUE\"" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: update-built-tags - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - TAG_VALUE=$(params.TAG) - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - BUILT_TAGS_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH) : $BUILT_TAGS_PATH" - yq "$BUILT_TAGS_PATH += [ \"$TAG_VALUE\" ]" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: prune-built-tags - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - BUILT_TAGS_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH) : $BUILT_TAGS_PATH" - ARRAY_COUNT=$(yq "$BUILT_TAGS_PATH | length" $VALUES_PATH) - echo $ARRAY_COUNT - if [ "$ARRAY_COUNT" -gt "$(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)" ]; then - MIN_KEY=$(echo | yq "$ARRAY_COUNT - $(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)") - yq "del(${BUILT_TAGS_PATH}[] | select(key < $MIN_KEY))" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - else - echo "$BUILT_TAGS_PATH currently has $ARRAY_COUNT tags, will prune at $(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)" - fi - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/mock.yaml -kind: Task -apiVersion: tekton.dev/v1beta1 -metadata: - name: mock -spec: - params: - - name: MESSAGE - type: string - description: | - The message to echo. - default: "Hello from mock-task" - steps: - - image: node # contains node - script: | - #!/usr/bin/env node - console.log("$(params.MESSAGE)") ---- -# Source: pipelines/templates/tasks/openshift-instantiate-template.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: openshift-instantiate-template -spec: - params: - - name: TEMPLATE - type: string - - name: PARAMS - type: string - steps: - - name: instantiate-template - image: quay.io/openshift/origin-cli:latest - script: | - oc process $(params.TEMPLATE) $(params.PARAMS) | oc create -f - ---- -# Source: pipelines/templates/tasks/s2i.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: s2i -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: build-artifacts - description: The maven repo for java builds - results: - - name: image - description: The image+tag that was created - params: - - name: BUILDER_IMAGE - description: The location of the s2i builder image. - type: string - - name: PATH_CONTEXT - default: . - description: The location of the path to run s2i from. - type: string - - name: TLSVERIFY - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - type: string - - name: LOGLEVEL - default: "0" - description: Log level when running the S2I binary - type: string - - name: subdirectory - default: "dev" - description: subdirectory in the gitrepos workspace where the dev repo has been cloned to - type: string - - name: OUTPUT_IMAGE - type: string - - name: TAG - default: latest - type: string -# only for java builds - - name: MAVEN_ARGS_APPEND - default: "" - description: Additional Maven arguments - type: string - - name: MAVEN_CLEAR_REPO - default: "false" - description: Remove the Maven repository after the artifact is built - type: string - - name: MAVEN_MIRROR_URL - default: "" - description: The base URL of a mirror used for retrieving artifacts - type: string - - name: CHAINED_BUILD_DOCKERFILE - default: "" - description: If a chained build is to be executed, the second part of the DOCKERFILE - type: string - steps: - - name: prepare-env - image: quay.io/openshift-pipeline/s2i - script: | - if [[ "$(params.BUILDER_IMAGE)" == *"jdk"* ]] || [[ "$(params.BUILDER_IMAGE)" == *"java"* ]]; then - echo "MAVEN_CLEAR_REPO=$(params.MAVEN_CLEAR_REPO)" > env-file - - [[ '$(params.MAVEN_ARGS_APPEND)' != "" ]] && - echo "MAVEN_ARGS_APPEND=$(params.MAVEN_ARGS_APPEND)" >> env-file - - [[ '$(params.MAVEN_MIRROR_URL)' != "" ]] && - echo "MAVEN_MIRROR_URL=$(params.MAVEN_MIRROR_URL)" >> env-file - - #create build artifacts cache directory - if [[ ! -d $(workspaces.build-artifacts.path)/m2 ]]; then - mkdir $(workspaces.build-artifacts.path)/m2 - chmod a+rwx $(workspaces.build-artifacts.path)/m2 - fi - echo "MAVEN_LOCAL_REPO=/ba/m2" >> env-file - - echo "Generated Env file" - echo "------------------------------" - cat env-file - echo "------------------------------" - - echo "s2i build --loglevel=$(params.LOGLEVEL) $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-params/env-file" >s2icommand - echo "buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f /gen-source/Dockerfile.gen -t `basename $(params.OUTPUT_IMAGE)` -v $(workspaces.build-artifacts.path)/m2:/ba/m2 ." >buildahcommand - fi - volumeMounts: - - mountPath: /env-params - name: envparams - workingDir: /env-params - - name: generate - image: quay.io/openshift-pipeline/s2i - # command: - # - s2i - # - build - # - --loglevel=$(params.LOGLEVEL) - # - $(params.PATH_CONTEXT) - # - $(params.BUILDER_IMAGE) - # - --as-dockerfile - # - /gen-source/Dockerfile.gen - script: | - if [ -f /env-params/s2icommand ]; then - source /env-params/s2icommand - else - s2i build --loglevel=$(params.LOGLEVEL) $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) --as-dockerfile /gen-source/Dockerfile.gen - fi - if [[ -n "$(params.CHAINED_BUILD_DOCKERFILE)" ]]; then - echo "$(params.CHAINED_BUILD_DOCKERFILE)" >>/gen-source/Dockerfile.gen - fi - resources: {} - volumeMounts: - - mountPath: /gen-source - name: gen-source - - mountPath: /env-params - name: envparams - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: build - image: quay.io/buildah/stable:v1.11.0 - script: | - if [ -f /env-params/buildahcommand ]; then - source /env-params/buildahcommand - else - buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f /gen-source/Dockerfile.gen -t `basename $(params.OUTPUT_IMAGE)` . - fi - resources: {} - securityContext: - privileged: false # LRC Changed from true - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /gen-source - name: gen-source - - mountPath: /env-params - name: envparams - workingDir: /gen-source - - name: push - image: quay.io/buildah/stable:v1.11.0 - script: | - buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) `basename $(params.OUTPUT_IMAGE)` docker://$(params.OUTPUT_IMAGE):$(params.TAG) - echo -n "$(params.OUTPUT_IMAGE):$(params.TAG)" >$(results.image.path) - resources: {} - securityContext: - privileged: false # LRC Changed from true - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - volumes: - - emptyDir: {} - name: varlibcontainers - - emptyDir: {} - name: gen-source - - emptyDir: {} - name: envparams ---- -# Source: pipelines/templates/tasks/skopeo-copy.yaml -kind: Task -apiVersion: tekton.dev/v1beta1 -metadata: - name: skopeo-copy -spec: - workspaces: - - name: config - description: configmap contents - params: - - name: TAG - type: string - - name: SOURCE_IMAGE - type: string - - name: TARGET_IMAGE_CONFIGMAPKEY - type: string - steps: - - name: skopeo-copy - image: quay.io/redhat-emea-ssa-team/skopeo-ubi:latest - script: | - skopeo copy --src-tls-verify=false --dest-tls-verify=false docker://$(params.SOURCE_IMAGE):$(params.TAG) docker://$(cat $(workspaces.config.path)/IMAGE_PROVIDER)/$(cat $(workspaces.config.path)/IMAGE_ACCOUNT)/$(cat $(workspaces.config.path)/$(params.TARGET_IMAGE_CONFIGMAPKEY)):$(params.TAG) ---- -# Source: pipelines/templates/tasks/tkn.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: tkn -spec: - params: - - name: tkn-image - description: tkn CLI container image to run this task - default: gcr.io/tekton-releases/dogfooding/tkn - - name: ARGS - type: array - description: tkn CLI arguments to run - steps: - - name: tkn - image: "$(params.tkn-image)" - command: ["/usr/local/bin/tkn"] - args: ["$(params.ARGS)"] ---- -# Source: pipelines/templates/templates/build-image-bumpversion.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-bumpversion -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-bumpversion- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Mi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/bumpversiontask - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: bumpversion ---- -# Source: pipelines/templates/templates/build-image-httpd-ionic.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-httpd-ionic -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-httpd-ionic- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Gi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/httpd-ionic - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: httpd-ionic ---- -# Source: pipelines/templates/templates/build-image-pushprox.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-pushprox -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-pushprox- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Mi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/pushprox - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: pushprox - - name: DEV_REVISION - value: pushprox ---- -# Source: pipelines/templates/templates/build-iot-anomaly-detection.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-anomaly-detection -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-anomaly-detection- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-anomaly-detection - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: COMPONENT_NAME - value: iot-anomaly - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY ---- -# Source: pipelines/templates/templates/build-iot-consumer.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-consumer -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-consumer- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-consumer - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: PATH_CONTEXT - value: components/iot-consumer - - name: COMPONENT_NAME - value: iot-consumer - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER ---- -# Source: pipelines/templates/templates/build-iot-frontend.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-frontend -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-frontend- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-frontend - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: PATH_CONTEXT - value: components/iot-frontend - - name: COMPONENT_NAME - value: iot-frontend - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: CHAINED_BUILD_DOCKERFILE - #value: "FROM centos/httpd-24-centos7\nCOPY --from=0 /opt/app-root/output /var/www/html/" - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" ---- -# Source: pipelines/templates/templates/build-iot-software-sensor-quarkus.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-software-sensor-quarkus -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-software-sensor-quarkus- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-software-sensor - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/quarkus/ubi-quarkus-native-s2i:19.3.1-java11 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: PATH_CONTEXT - value: components/iot-software-sensor-quarkus - - name: COMPONENT_NAME - value: iot-swsensor - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR ---- -# Source: pipelines/templates/templates/build-iot-software-sensor.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-software-sensor -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-software-sensor- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-software-sensor - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: COMPONENT_NAME - value: iot-swsensor - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR ---- -# Source: pipelines/templates/templates/seed.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: seed -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: seed- - spec: - pipelineRef: - name: seed - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-consumer - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: pipelines/templates/templates/stage-production-pipelinerun.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: stage-production-pipelinerun -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: stage-production-${COMPONENT_NAME}- - spec: - pipelineRef: - name: stage-production - params: - - name: TAG - value: ${TAG} - - name: SOURCE_IMAGE - value: ${SOURCE_IMAGE} - - name: CONFIGMAP_PREFIX - value: ${CONFIGMAP_PREFIX} - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: github-secret - secret: - secretName: git-repo-credentials - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - # persistentVolumeClaim: - # claimName: stage-production -parameters: -- name: TAG -- name: SOURCE_IMAGE -- name: CONFIGMAP_PREFIX -- name: COMPONENT_NAME diff --git a/tests/datacenter-pipelines-naked.expected.yaml b/tests/datacenter-pipelines-naked.expected.yaml deleted file mode 100644 index 4db1958fb..000000000 --- a/tests/datacenter-pipelines-naked.expected.yaml +++ /dev/null @@ -1,4257 +0,0 @@ ---- -# Source: pipelines/templates/configmaps/environment.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: environment -data: - DESCRIPTION: "Config keys for openshift-pipelines" - IMAGE_PROVIDER: quay.io - IMAGE_ACCOUNT: PLAINTEXT - GIT_EMAIL: SOMEWHERE@EXAMPLE.COM - GIT_DEV_REPO_URL: https://github.com/PLAINTEXT/manuela-dev.git - GIT_DEV_REPO_REVISION: main - GIT_OPS_REPO_TEST_URL: https://github.com/pattern-clone/industrial-edge - GIT_OPS_REPO_TEST_REVISION: main - GIT_OPS_REPO_PROD_URL: https://github.com/pattern-clone/industrial-edge - GIT_OPS_REPO_PROD_REVISION: main - IOT_CONSUMER_IMAGE: iot-consumer - IOT_CONSUMER_YAML_PATH: ".iot_consumer.tag" - IOT_CONSUMER_BUILT_TAGS_PATH: .iot_consumer.built_tags - IOT_CONSUMER_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_CONSUMER_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_FRONTEND_IMAGE: iot-frontend - IOT_FRONTEND_YAML_PATH: ".iot_frontend.tag" - IOT_FRONTEND_BUILT_TAGS_PATH: ".iot_frontend.built_tags" - IOT_FRONTEND_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_FRONTEND_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_SWSENSOR_IMAGE: iot-software-sensor - IOT_SWSENSOR_YAML_PATH: ".machine_sensor.tag" - IOT_SWSENSOR_BUILT_TAGS_PATH: .machine_sensor.built_tags - IOT_SWSENSOR_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_SWSENSOR_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_ANOMALY_IMAGE: iot-anomaly-detection - IOT_ANOMALY_YAML_PATH: ".iot_anomaly_detection.tag" - IOT_ANOMALY_BUILT_TAGS_PATH: .iot_anomaly_detection.built_tags - IOT_ANOMALY_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_ANOMALY_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - -# IOT_CONSUMER_IMAGE: iot-consumer -# IOT_CONSUMER_YAML_PATH: 'images(name==messaging).newTag' -# IOT_CONSUMER_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_CONSUMER_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/messaging/messaging-is.yaml -# IOT_FRONTEND_IMAGE: iot-frontend -# IOT_FRONTEND_YAML_PATH: 'images(name==line-dashboard).newTag' -# IOT_FRONTEND_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_FRONTEND_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/line-dashboard/line-dashboard-is.yaml -# IOT_SWSENSOR_IMAGE: iot-software-sensor -# IOT_SWSENSOR_YAML_PATH: 'images(name==machine-sensor).newTag' -# IOT_SWSENSOR_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_SWSENSOR_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/machine-sensor/machine-sensor-is.yaml -# IOT_ANOMALY_IMAGE: iot-anomaly-detection -# IOT_ANOMALY_YAML_PATH: 'images(name==anomaly-detection).newTag' -# IOT_ANOMALY_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_ANOMALY_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/anomaly-detection/anomaly-detection-is.yaml ---- -# Source: pipelines/templates/persistent-volume-claims/build-artifacts.rwo.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: build-artifacts-rwo -spec: - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce ---- -# Source: pipelines/templates/persistent-volume-claims/gitrepos.rwo.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: gitrepos-rwo -spec: - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce ---- -# Source: pipelines/templates/pipeline-from-manuela-ci-to-manuela-tst-all.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: admin - namespace: manuela-tst-all -subjects: - - kind: ServiceAccount - name: pipeline - namespace: manuela-ci -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin ---- -# Source: pipelines/templates/pipelines/build-and-test-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - name: argocd-env-secret - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-industrial-edge-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - #value: datacenter-gitops-server.industrial-edge-datacenter.svc - value: "testgroup-gitops-server.industrial-edge-testgroup.svc" - - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version-iot-anomaly.results.image-tag) -p CONFIGMAP_PREFIX=IOT_ANOMALY -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection -p COMPONENT_NAME=iot-anomaly-detection - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-anomaly-detection ---- -# Source: pipelines/templates/pipelines/build-and-test-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - name: argocd-env-secret - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-industrial-edge-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - #value: datacenter-gitops-server.industrial-edge-datacenter.svc - value: "testgroup-gitops-server.industrial-edge-testgroup.svc" - - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version-iot-consumer.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer ---- -# Source: pipelines/templates/pipelines/build-and-test.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test -spec: - workspaces: - - name: gitrepos - - name: config - - name: argocd-env-secret - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: build-base-images - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-base-images - - --param - - PATH_CONTEXT=tekton/images/httpd-ionic - - --param - - DEV_REVISION=$(params.DEV_REVISION) - - --param - - OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY=IMAGE_PROVIDER - - --param - - OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY=IMAGE_ACCOUNT - - --param - - OUTPUT_IMAGE_NAME=httpd-ionic - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --showlog - - --nocolour - - - name: build-iot-anomaly-detection - runAfter: - - build-base-images - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-anomaly-detection - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-consumer - runAfter: - - build-iot-anomaly-detection - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-consumer - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-frontend - runAfter: - - build-iot-consumer - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-frontend - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-software-sensor - runAfter: - - build-iot-frontend - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-software-sensor - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: git-clone-dev - runAfter: - - build-iot-software-sensor - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-gitops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version - taskRef: - name: bumpversion - runAfter: - - git-clone-gitops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot_consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: build-messaging-image - taskRef: - name: s2i - runAfter: - - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: CHAINED_BUILD_DOCKERFILE - value: "" - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - build-messaging-image -# - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops-test - taskRef: - name: git-commit - runAfter: - - modify-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-test - taskRef: - name: github-push - runAfter: - - commit-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops-test - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-industrial-edge-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - # datacenter-gitops-server.industrial-edge-datacenter.svc - value: "testgroup-gitops-server.industrial-edge-testgroup.svc" - - # - name: sensor-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully sent messages to broker..." - # - name: consumer-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully processed messages from broker..." - # - name: consumer-frontend-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully executed Websocket APIs..." - # - name: e2e-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - sensor-broker-test - # - consumer-broker-test - # - consumer-frontend-test - # params: - # - name: MESSAGE - # value: "e2e testsuite succesfully executed" - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer - # - name: OPENSHIFT_NAMESPACE - # value: manuela-tst-all - # - name: OPENSHIFT_IMAGESTREAM - # value: messaging ---- -# Source: pipelines/templates/pipelines/build-base-images.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-base-images -spec: - workspaces: - - name: gitrepos - - name: config - params: - - name: PATH_CONTEXT - type: string - default: tekton/images/httpd-ionic - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - type: string - default: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - type: string - default: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - type: string - default: httpd-ionic - - name: DEV_REVISION - type: string - default: main - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: buildah-build - taskRef: - name: buildah - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: $(params.PATH_CONTEXT) - - name: TAG - value: latest - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: $(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY) - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: $(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY) - - name: OUTPUT_IMAGE_NAME - value: $(params.OUTPUT_IMAGE_NAME) ---- -# Source: pipelines/templates/pipelines/build-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-frontend.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-frontend -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-frontend - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-frontend - - name: version_file_path - value: components/iot-frontend/VERSION - - - name: s2i-build-iot-frontend - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-frontend - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: CHAINED_BUILD_DOCKERFILE - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - - name: copy-image-to-remote-registry-iot-frontend - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-frontend - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_FRONTEND_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-software-sensor.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-software-sensor -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-software-sensor - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-swsensor - - name: version_file_path - value: components/iot-software-sensor/VERSION - - - name: s2i-build-iot-software-sensor - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - - name: copy-image-to-remote-registry-iot-software-sensor - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-software-sensor - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_SWSENSOR_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/just-pr.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: just-pr -spec: - workspaces: - - name: gitrepos - - name: config - - name: argocd-env-secret - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-gitops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version - taskRef: - name: bumpversion - runAfter: - - git-clone-gitops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot_consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: build-messaging-image - taskRef: - name: s2i - runAfter: - - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: CHAINED_BUILD_DOCKERFILE - value: "" - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - build-messaging-image -# - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops-test - taskRef: - name: git-commit - runAfter: - - modify-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-test - taskRef: - name: github-push - runAfter: - - commit-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops-test - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-industrial-edge-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - # datacenter-gitops-server.industrial-edge-datacenter.svc - value: "testgroup-gitops-server.industrial-edge-testgroup.svc" - # - name: sensor-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully sent messages to broker..." - # - name: consumer-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully processed messages from broker..." - # - name: consumer-frontend-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully executed Websocket APIs..." - # - name: e2e-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - sensor-broker-test - # - consumer-broker-test - # - consumer-frontend-test - # params: - # - name: MESSAGE - # value: "e2e testsuite succesfully executed" - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer - # - name: OPENSHIFT_NAMESPACE - # value: manuela-tst-all - # - name: OPENSHIFT_IMAGESTREAM - # value: messaging ---- -# Source: pipelines/templates/pipelines/seed-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-frontend.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-frontend -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-frontend - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-frontend - - name: version_file_path - value: components/iot-frontend/VERSION - - - name: s2i-build-iot-frontend - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-frontend - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: CHAINED_BUILD_DOCKERFILE - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - - name: copy-image-to-remote-registry-iot-frontend - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-frontend - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_FRONTEND_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-software-sensor.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-software-sensor -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-software-sensor - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-swsensor - - name: version_file_path - value: components/iot-software-sensor/VERSION - - - name: s2i-build-iot-software-sensor - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - - name: copy-image-to-remote-registry-iot-software-sensor - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-software-sensor - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_SWSENSOR_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: build-base-images - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - build-base-images - - --param - - PATH_CONTEXT=tekton/images/httpd-ionic - - --param - - OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY=IMAGE_PROVIDER - - --param - - OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY=IMAGE_ACCOUNT - - --param - - OUTPUT_IMAGE_NAME=http-ionic - - --param - - DEV_REVISION=$(params.DEV_REVISION) - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-anomaly-detection - runAfter: - - build-base-images - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-anomaly-detection - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-consumer - runAfter: - - seed-iot-anomaly-detection - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-consumer - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-frontend - runAfter: - - seed-iot-consumer - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-frontend - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-software-sensor - runAfter: - - seed-iot-frontend - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-software-sensor - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour ---- -# Source: pipelines/templates/pipelines/stage-production.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: stage-production -spec: - workspaces: - - name: gitrepos - - name: config - - name: github-secret - params: - - name: TAG - type: string - - name: SOURCE_IMAGE - type: string - - name: CONFIGMAP_PREFIX - type: string - - tasks: - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_PROD_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: copy-image-to-remote-registry - taskRef: - name: skopeo-copy - runAfter: - - git-clone-ops - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(params.TAG) - - name: SOURCE_IMAGE - value: $(params.SOURCE_IMAGE) - - name: TARGET_IMAGE_CONFIGMAPKEY - value: $(params.CONFIGMAP_PREFIX)_IMAGE - - - name: checkout-staging-branch - taskRef: - name: git-checkout - runAfter: - - copy-image-to-remote-registry - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - name: BRANCH - value: staging-approval - - - name: modify-ops-prod - taskRef: - name: gitops-imagetag - runAfter: - - checkout-staging-branch - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: $(params.CONFIGMAP_PREFIX) - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(params.TAG) - - name: subdirectory - value: ops - - - name: commit-ops-prod - taskRef: - name: git-commit - runAfter: - - modify-ops-prod - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-prod - taskRef: - name: github-push - runAfter: - - commit-ops-prod - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - name: PUSH_FLAGS - value: --set-upstream origin staging-approval - - - name: github-pull-request - taskRef: - name: github-add-pull-request - runAfter: - - push-ops-prod - workspaces: - - name: config - workspace: config - - name: github-secret - workspace: github-secret - params: - - name: GITHUB_REPO_CONFIGMAPKEY - value: GIT_OPS_REPO_PROD_URL - - name: GIT_BRANCH_HEAD - value: staging-approval - - name: GIT_BRANCH_BASE - value: main ---- -# Source: pipelines/templates/pipelines/test-all.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: test-all -spec: - tasks: - - name: sensor-broker-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully sent messages to broker..." - - name: consumer-broker-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully processed messages from broker..." - - name: consumer-frontend-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully executed Websocket APIs..." - - name: e2e-test - taskRef: - name: mock - kind: Task - runAfter: - - sensor-broker-test - - consumer-broker-test - - consumer-frontend-test - params: - - name: MESSAGE - value: "e2e testsuite succesfully executed" - # - name: fail - # taskRef: - # name: fail - # kind: Task - # runAfter: - # - e2e-test ---- -# Source: pipelines/templates/tasks/argocd-sync-and-wait.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: argocd-sync-and-wait -spec: - workspaces: - - name: argocd-env-secret - params: - - name: application-name - type: string - description: name of the application to sync - - name: revision - type: string - description: the revision to sync to - default: main - - name: flags - type: string - default: -- - - name: argocd-version - type: string - default: v1.5.2 - - name: argocd-server - type: string - default: openshift-gitops-server.openshift-gitops.svc - steps: - - name: login-sync-wait - image: argoproj/argocd:$(params.argocd-version) - command: ["/bin/bash", "-c"] - args: - - if [ -z $ARGOCD_AUTH_TOKEN ]; then - yes | argocd login $(params.argocd-server) --grpc-web $(params.flags) --username=$(cat $(workspaces.argocd-env-secret.path)/ARGOCD_USERNAME) --password=$(cat $(workspaces.argocd-env-secret.path)/ARGOCD_PASSWORD); - fi; - - argocd app sync $(params.application-name) --revision $(params.revision) $(params.flags); - - argocd app wait $(params.application-name) --health $(params.flags); ---- -# Source: pipelines/templates/tasks/buildah.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: buildah -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - results: - - name: image - description: The image+tag that was created - params: - - name: PATH_CONTEXT - default: . - description: The location of the path to run s2i from. - type: string - - name: TLSVERIFY - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - type: string - - name: subdirectory - default: "dev" - description: subdirectory in the gitrepos workspace where the dev repo has been cloned to - type: string - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - type: string - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - type: string - - name: OUTPUT_IMAGE_NAME - type: string - - name: TAG - default: latest - type: string - - name: DOCKERFILE - default: Dockerfile - type: string - steps: - - name: build - image: quay.io/buildah/stable:v1.11.0 - script: | - PROVIDER=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY)) - ACCOUNT=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY)) - OUTPUT_IMAGE="$PROVIDER/$ACCOUNT/$(params.OUTPUT_IMAGE_NAME)" - buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f $(params.DOCKERFILE) -t $OUTPUT_IMAGE - resources: {} - securityContext: - privileged: false - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory)/$(params.PATH_CONTEXT) - - name: push - image: quay.io/buildah/stable:v1.11.0 - script: | - PROVIDER=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY)) - ACCOUNT=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY)) - OUTPUT_IMAGE="$PROVIDER/$ACCOUNT/$(params.OUTPUT_IMAGE_NAME)" - buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) $OUTPUT_IMAGE docker://$OUTPUT_IMAGE:$(params.TAG) - echo -n "$OUTPUT_IMAGE:$(params.TAG)" >$(results.image.path) - resources: {} - securityContext: - privileged: false - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - volumes: - - emptyDir: {} - name: varlibcontainers ---- -# Source: pipelines/templates/tasks/bumpversion.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: bumpversion -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "dev" - - name: component_name - description: component name - type: string - - name: version_file_path - description: path within subdirectory where the base VERSION of the component resides - type: string - results: - - name: image-tag - description: the new build version based on the last tags and VERSION file - - name: git-tag - description: the new build version based on the last tags and VERSION file - steps: - - name: current-tag - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - VERSION_GLOB="build-$(params.component_name)-$(cat $(params.version_file_path))-*" - - # existing tag based on glob - LAST_TAG=$(git tag --sort "version:refname" -l $VERSION_GLOB | tail -n 1) - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] ; then - exit $EXIT_CODE - fi - - # if tag doesn't exist, create new one - if [ "$LAST_TAG" == "" ] ; then - LAST_TAG="build-$(params.component_name)-$(cat $(params.version_file_path))-0" - fi - - # Make sure we don't add a trailing newline to the result! - echo -n "$LAST_TAG" >/scratch/VERSION - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: bump-tag - image: quay.io/hybridcloudpatterns/bumpversiontask:latest - script: | - cd /scratch - echo -e "[bumpversion]\ncurrent_version = $(cat VERSION)" >.bumpversion.cfg - cat <>.bumpversion.cfg - commit = False - tag = False - parse = (?P.*)\-(?P\d+)\.(?P\d+)\.(?P\d+)\-(?P\d+) - serialize = {prefix}-{major}.{minor}.{patch}-{build:03d} - - [bumpversion:part:build] - - [bumpversion:file:VERSION] - EOF - - bump2version build /scratch/VERSION - - sed "s/build-$(params.component_name)-//" /scratch/VERSION >$(results.image-tag.path) - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: tag-repo - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - VERSION=$(cat /scratch/VERSION) - git tag $VERSION - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] ; then - exit $EXIT_CODE - fi - echo -n "$VERSION" > $(results.git-tag.path) - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - volumes: - - emptyDir: {} - name: scratch ---- -# Source: pipelines/templates/tasks/cleanup.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: cleanup -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: dev - - name: COMPONENT_NAME - description: component name - type: string - - name: NUMBER_OF_TAGS_TO_KEEP - type: string - default: "5" - - name: GITHUB_USERNAME_CONFIGMAPKEY - default: user - type: string - - name: GITHUB_TOKEN_CONFIGMAPKEY - default: token - type: string - # - name: OPENSHIFT_NAMESPACE - # default: manuela-tst-all - # type: string - # - name: OPENSHIFT_IMAGESTREAM - # default: messaging - # type: string - steps: - - name: cleanup-git-tags - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - #list build tags for component in repo - BUILD_TAG_GLOB="build-$(params.COMPONENT_NAME)-*" - git tag --sort "version:refname" -l $BUILD_TAG_GLOB >/scratch/tags - - #identify build tags to keep - tail -n $(params.NUMBER_OF_TAGS_TO_KEEP) /scratch/tags >/scratch/keep - - #identify build tags to be deleted - diff /scratch/tags /scratch/keep | grep \^-build | cut -c2- > /scratch/delete - - #delete build tags - for TAG in $(cat /scratch/delete); do - git push origin :$TAG - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - done - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - # - name: cleanup-test-images - # image: quay.io/openshift/origin-cli:latest - # script: | - # oc get is -n $(params.OPENSHIFT_NAMESPACE) $(params.OPENSHIFT_IMAGESTREAM) -o jsonpath='{.status.tags..tag}' | tr " " "\n" | grep build- | comm -23 - /scratch/keep >/scratch/delete_istags - # EXIT_CODE="$?" - # if [ "$EXIT_CODE" != 0 ] - # then - # exit $EXIT_CODE - # fi - # for TAG in $(cat /scratch/delete_istags); do - # oc tag -n $(params.OPENSHIFT_NAMESPACE) -d $(params.OPENSHIFT_IMAGESTREAM):$TAG - # EXIT_CODE="$?" - # if [ "$EXIT_CODE" != 0 ] - # then - # exit $EXIT_CODE - # fi - # done - # volumeMounts: - # - mountPath: /scratch - # name: scratch - # workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - volumes: - - emptyDir: {} - name: scratch ---- -# Source: pipelines/templates/tasks/fail.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: fail -spec: - steps: - - name: fail - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - exit 1 ---- -# Source: pipelines/templates/tasks/git-checkout.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-checkout -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: BRANCH - description: branch to check out or to create - type: string - default: main - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - results: - - name: commit - description: The precise commit SHA that is HEAD of the checked out branch - steps: - - name: checkout - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - BRANCH=$(params.BRANCH) - git checkout -q --track -b $BRANCH origin/$BRANCH 2>&1 || git checkout -q -b $BRANCH 2>&1 - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - # Make sure we don't add a trailing newline to the result! - echo -n "$RESULT_SHA" > $(results.commit.path) - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/git-clone-with-tags.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-clone-with-tags -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: url_configmapkey - description: git url to clone - type: string - - name: revision - description: git revision to checkout (branch, tag, sha, ref…) - type: string - default: main - - name: submodules - description: defines if the resource should initialize and fetch the submodules - type: string - default: "true" - - name: depth - description: performs a shallow clone where only the most recent commit(s) will be fetched - type: string - default: "1" - - name: sslVerify - description: defines if http.sslVerify should be set to true or false in the global git config - type: string - default: "true" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "" - - name: deleteExisting - description: clean out the contents of the repo's destination directory (if it already exists) before trying to clone the repo there - type: string - default: "false" - results: - - name: commit - description: The precise commit SHA that was fetched by this Task - steps: - - name: clone - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - CHECKOUT_DIR="$(workspaces.gitrepos.path)/$(params.subdirectory)" - - cleandir() { - # Delete any existing contents of the repo directory if it exists. - # - # We don't just "rm -rf $CHECKOUT_DIR" because $CHECKOUT_DIR might be "/" - # or the root of a mounted volume. - if [[ -d "$CHECKOUT_DIR" ]] ; then - # Delete non-hidden files and directories - rm -rf "$CHECKOUT_DIR"/* - # Delete files and directories starting with . but excluding .. - rm -rf "$CHECKOUT_DIR"/.[!.]* - # Delete files and directories starting with .. plus any other character - rm -rf "$CHECKOUT_DIR"/..?* - fi - } - - if [[ "$(params.deleteExisting)" == "true" ]] ; then - cleandir - fi - - /ko-app/git-init \ - -url "$(cat $(workspaces.config.path)/$(params.url_configmapkey))" \ - -revision "$(params.revision)" \ - -path "$CHECKOUT_DIR" \ - -sslVerify="$(params.sslVerify)" \ - -submodules="$(params.submodules)" \ - -depth="$(params.depth)" - cd "$CHECKOUT_DIR" - - git fetch --tags - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - # Seems the go git client checks out master regardless. This allows for 'main' or another branch to be used - git checkout $(params.revision) - git branch --set-upstream-to=origin/$(params.revision) - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - # Make sure we don't add a trailing newline to the result! - echo -n "$RESULT_SHA" > $(results.commit.path) ---- -# Source: pipelines/templates/tasks/git-commit.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-commit -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: GIT_EMAIL_CONFIGMAPKEY - default: GIT_EMAIL - type: string - - name: MESSAGE - description: commit message - type: string - default: "change made by Tekton task" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - steps: - - name: commit - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - git diff - git config --global user.email "$(cat $(workspaces.config.path)/$(params.GIT_EMAIL_CONFIGMAPKEY))" - git config --global user.name "Tekton Automation" - git add . - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - #only commit if there is something which has changed - git diff --staged --quiet || git commit -m "$(params.MESSAGE)" - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/github-add-pull-request.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: github-add-pull-request -spec: - workspaces: - - name: config - - name: github-secret - params: - - name: PULL_REQUEST_BODY - description: The body to be used for the pull request - type: string - default: "" - - name: PULL_REQUEST_TITLE - description: Title of the pull request - type: string - default: "Pull request created by Tekton task github-add-pull-request" - - name: GITHUB_REPO_CONFIGMAPKEY - description: The github owner/repo to use - type: string - - name: GIT_BRANCH_HEAD - description: The branch to pull from - type: string - default: approve - - name: GIT_BRANCH_BASE - description: The branch to pull into - type: string - default: main - steps: - - name: create-pull-request - image: curlimages/curl - script: | - GITREPO=$(cat $(workspaces.config.path)/$(params.GITHUB_REPO_CONFIGMAPKEY)) - PULLREQUEST_API_ENDPOINT=$(echo -n "$GITREPO" | sed "s|github.com|api.github.com/repos|" | sed "s/\.git$//g")/pulls - curl -v -u :$(cat $(workspaces.github-secret.path)/password) $PULLREQUEST_API_ENDPOINT -d '{"title":"$(params.PULL_REQUEST_TITLE)","body":"$(params.PULL_REQUEST_BODY)","head":"$(params.GIT_BRANCH_HEAD)","base":"$(params.GIT_BRANCH_BASE)"}' ---- -# Source: pipelines/templates/tasks/github-push.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: github-push -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "dev" - - name: PUSH_FLAGS - description: additional flags for git push - type: string - default: "" - steps: - - name: push - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - git remote -v - git branch - git branch -r | grep -q origin/$(git rev-parse --abbrev-ref HEAD) && git pull --ff-only --no-edit - git log -n 2 - git push -v $(params.PUSH_FLAGS) - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/gitops-imagetag.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: gitops-imagetag -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - params: - - name: CONFIGMAP_PREFIX - type: string - - name: ENVIRONMENT - type: string - default: TEST - description: TEST or PROD - - name: TAG - description: the VERSION tag - type: string - - name: TRUNCATE_IMAGESTREAM_TAGS_AFTER - type: string - description: Number of image stream tags to keep - default: "4" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "ops" - steps: - - name: update-tag - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - TAG_VALUE=$(params.TAG) - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - YAML_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_YAML_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_YAML_PATH) : $YAML_PATH" - yq "$YAML_PATH = \"$TAG_VALUE\"" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: update-built-tags - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - TAG_VALUE=$(params.TAG) - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - BUILT_TAGS_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH) : $BUILT_TAGS_PATH" - yq "$BUILT_TAGS_PATH += [ \"$TAG_VALUE\" ]" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: prune-built-tags - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - BUILT_TAGS_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH) : $BUILT_TAGS_PATH" - ARRAY_COUNT=$(yq "$BUILT_TAGS_PATH | length" $VALUES_PATH) - echo $ARRAY_COUNT - if [ "$ARRAY_COUNT" -gt "$(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)" ]; then - MIN_KEY=$(echo | yq "$ARRAY_COUNT - $(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)") - yq "del(${BUILT_TAGS_PATH}[] | select(key < $MIN_KEY))" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - else - echo "$BUILT_TAGS_PATH currently has $ARRAY_COUNT tags, will prune at $(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)" - fi - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/mock.yaml -kind: Task -apiVersion: tekton.dev/v1beta1 -metadata: - name: mock -spec: - params: - - name: MESSAGE - type: string - description: | - The message to echo. - default: "Hello from mock-task" - steps: - - image: node # contains node - script: | - #!/usr/bin/env node - console.log("$(params.MESSAGE)") ---- -# Source: pipelines/templates/tasks/openshift-instantiate-template.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: openshift-instantiate-template -spec: - params: - - name: TEMPLATE - type: string - - name: PARAMS - type: string - steps: - - name: instantiate-template - image: quay.io/openshift/origin-cli:latest - script: | - oc process $(params.TEMPLATE) $(params.PARAMS) | oc create -f - ---- -# Source: pipelines/templates/tasks/s2i.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: s2i -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: build-artifacts - description: The maven repo for java builds - results: - - name: image - description: The image+tag that was created - params: - - name: BUILDER_IMAGE - description: The location of the s2i builder image. - type: string - - name: PATH_CONTEXT - default: . - description: The location of the path to run s2i from. - type: string - - name: TLSVERIFY - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - type: string - - name: LOGLEVEL - default: "0" - description: Log level when running the S2I binary - type: string - - name: subdirectory - default: "dev" - description: subdirectory in the gitrepos workspace where the dev repo has been cloned to - type: string - - name: OUTPUT_IMAGE - type: string - - name: TAG - default: latest - type: string -# only for java builds - - name: MAVEN_ARGS_APPEND - default: "" - description: Additional Maven arguments - type: string - - name: MAVEN_CLEAR_REPO - default: "false" - description: Remove the Maven repository after the artifact is built - type: string - - name: MAVEN_MIRROR_URL - default: "" - description: The base URL of a mirror used for retrieving artifacts - type: string - - name: CHAINED_BUILD_DOCKERFILE - default: "" - description: If a chained build is to be executed, the second part of the DOCKERFILE - type: string - steps: - - name: prepare-env - image: quay.io/openshift-pipeline/s2i - script: | - if [[ "$(params.BUILDER_IMAGE)" == *"jdk"* ]] || [[ "$(params.BUILDER_IMAGE)" == *"java"* ]]; then - echo "MAVEN_CLEAR_REPO=$(params.MAVEN_CLEAR_REPO)" > env-file - - [[ '$(params.MAVEN_ARGS_APPEND)' != "" ]] && - echo "MAVEN_ARGS_APPEND=$(params.MAVEN_ARGS_APPEND)" >> env-file - - [[ '$(params.MAVEN_MIRROR_URL)' != "" ]] && - echo "MAVEN_MIRROR_URL=$(params.MAVEN_MIRROR_URL)" >> env-file - - #create build artifacts cache directory - if [[ ! -d $(workspaces.build-artifacts.path)/m2 ]]; then - mkdir $(workspaces.build-artifacts.path)/m2 - chmod a+rwx $(workspaces.build-artifacts.path)/m2 - fi - echo "MAVEN_LOCAL_REPO=/ba/m2" >> env-file - - echo "Generated Env file" - echo "------------------------------" - cat env-file - echo "------------------------------" - - echo "s2i build --loglevel=$(params.LOGLEVEL) $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-params/env-file" >s2icommand - echo "buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f /gen-source/Dockerfile.gen -t `basename $(params.OUTPUT_IMAGE)` -v $(workspaces.build-artifacts.path)/m2:/ba/m2 ." >buildahcommand - fi - volumeMounts: - - mountPath: /env-params - name: envparams - workingDir: /env-params - - name: generate - image: quay.io/openshift-pipeline/s2i - # command: - # - s2i - # - build - # - --loglevel=$(params.LOGLEVEL) - # - $(params.PATH_CONTEXT) - # - $(params.BUILDER_IMAGE) - # - --as-dockerfile - # - /gen-source/Dockerfile.gen - script: | - if [ -f /env-params/s2icommand ]; then - source /env-params/s2icommand - else - s2i build --loglevel=$(params.LOGLEVEL) $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) --as-dockerfile /gen-source/Dockerfile.gen - fi - if [[ -n "$(params.CHAINED_BUILD_DOCKERFILE)" ]]; then - echo "$(params.CHAINED_BUILD_DOCKERFILE)" >>/gen-source/Dockerfile.gen - fi - resources: {} - volumeMounts: - - mountPath: /gen-source - name: gen-source - - mountPath: /env-params - name: envparams - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: build - image: quay.io/buildah/stable:v1.11.0 - script: | - if [ -f /env-params/buildahcommand ]; then - source /env-params/buildahcommand - else - buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f /gen-source/Dockerfile.gen -t `basename $(params.OUTPUT_IMAGE)` . - fi - resources: {} - securityContext: - privileged: false # LRC Changed from true - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /gen-source - name: gen-source - - mountPath: /env-params - name: envparams - workingDir: /gen-source - - name: push - image: quay.io/buildah/stable:v1.11.0 - script: | - buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) `basename $(params.OUTPUT_IMAGE)` docker://$(params.OUTPUT_IMAGE):$(params.TAG) - echo -n "$(params.OUTPUT_IMAGE):$(params.TAG)" >$(results.image.path) - resources: {} - securityContext: - privileged: false # LRC Changed from true - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - volumes: - - emptyDir: {} - name: varlibcontainers - - emptyDir: {} - name: gen-source - - emptyDir: {} - name: envparams ---- -# Source: pipelines/templates/tasks/skopeo-copy.yaml -kind: Task -apiVersion: tekton.dev/v1beta1 -metadata: - name: skopeo-copy -spec: - workspaces: - - name: config - description: configmap contents - params: - - name: TAG - type: string - - name: SOURCE_IMAGE - type: string - - name: TARGET_IMAGE_CONFIGMAPKEY - type: string - steps: - - name: skopeo-copy - image: quay.io/redhat-emea-ssa-team/skopeo-ubi:latest - script: | - skopeo copy --src-tls-verify=false --dest-tls-verify=false docker://$(params.SOURCE_IMAGE):$(params.TAG) docker://$(cat $(workspaces.config.path)/IMAGE_PROVIDER)/$(cat $(workspaces.config.path)/IMAGE_ACCOUNT)/$(cat $(workspaces.config.path)/$(params.TARGET_IMAGE_CONFIGMAPKEY)):$(params.TAG) ---- -# Source: pipelines/templates/tasks/tkn.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: tkn -spec: - params: - - name: tkn-image - description: tkn CLI container image to run this task - default: gcr.io/tekton-releases/dogfooding/tkn - - name: ARGS - type: array - description: tkn CLI arguments to run - steps: - - name: tkn - image: "$(params.tkn-image)" - command: ["/usr/local/bin/tkn"] - args: ["$(params.ARGS)"] ---- -# Source: pipelines/templates/templates/build-image-bumpversion.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-bumpversion -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-bumpversion- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Mi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/bumpversiontask - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: bumpversion ---- -# Source: pipelines/templates/templates/build-image-httpd-ionic.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-httpd-ionic -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-httpd-ionic- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Gi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/httpd-ionic - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: httpd-ionic ---- -# Source: pipelines/templates/templates/build-image-pushprox.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-pushprox -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-pushprox- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Mi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/pushprox - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: pushprox - - name: DEV_REVISION - value: pushprox ---- -# Source: pipelines/templates/templates/build-iot-anomaly-detection.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-anomaly-detection -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-anomaly-detection- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-anomaly-detection - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: COMPONENT_NAME - value: iot-anomaly - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY ---- -# Source: pipelines/templates/templates/build-iot-consumer.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-consumer -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-consumer- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-consumer - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: PATH_CONTEXT - value: components/iot-consumer - - name: COMPONENT_NAME - value: iot-consumer - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER ---- -# Source: pipelines/templates/templates/build-iot-frontend.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-frontend -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-frontend- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-frontend - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: PATH_CONTEXT - value: components/iot-frontend - - name: COMPONENT_NAME - value: iot-frontend - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: CHAINED_BUILD_DOCKERFILE - #value: "FROM centos/httpd-24-centos7\nCOPY --from=0 /opt/app-root/output /var/www/html/" - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" ---- -# Source: pipelines/templates/templates/build-iot-software-sensor-quarkus.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-software-sensor-quarkus -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-software-sensor-quarkus- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-software-sensor - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/quarkus/ubi-quarkus-native-s2i:19.3.1-java11 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: PATH_CONTEXT - value: components/iot-software-sensor-quarkus - - name: COMPONENT_NAME - value: iot-swsensor - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR ---- -# Source: pipelines/templates/templates/build-iot-software-sensor.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-software-sensor -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-software-sensor- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-software-sensor - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: COMPONENT_NAME - value: iot-swsensor - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR ---- -# Source: pipelines/templates/templates/seed.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: seed -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: seed- - spec: - pipelineRef: - name: seed - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-consumer - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: pipelines/templates/templates/stage-production-pipelinerun.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: stage-production-pipelinerun -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: stage-production-${COMPONENT_NAME}- - spec: - pipelineRef: - name: stage-production - params: - - name: TAG - value: ${TAG} - - name: SOURCE_IMAGE - value: ${SOURCE_IMAGE} - - name: CONFIGMAP_PREFIX - value: ${CONFIGMAP_PREFIX} - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: github-secret - secret: - secretName: git-repo-credentials - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - # persistentVolumeClaim: - # claimName: stage-production -parameters: -- name: TAG -- name: SOURCE_IMAGE -- name: CONFIGMAP_PREFIX -- name: COMPONENT_NAME diff --git a/tests/datacenter-pipelines-normal.expected.yaml b/tests/datacenter-pipelines-normal.expected.yaml deleted file mode 100644 index bfb432403..000000000 --- a/tests/datacenter-pipelines-normal.expected.yaml +++ /dev/null @@ -1,4257 +0,0 @@ ---- -# Source: pipelines/templates/configmaps/environment.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: environment -data: - DESCRIPTION: "Config keys for openshift-pipelines" - IMAGE_PROVIDER: quay.io - IMAGE_ACCOUNT: PLAINTEXT - GIT_EMAIL: SOMEWHERE@EXAMPLE.COM - GIT_DEV_REPO_URL: https://github.com/PLAINTEXT/manuela-dev.git - GIT_DEV_REPO_REVISION: main - GIT_OPS_REPO_TEST_URL: https://github.com/pattern-clone/mypattern - GIT_OPS_REPO_TEST_REVISION: main - GIT_OPS_REPO_PROD_URL: https://github.com/pattern-clone/mypattern - GIT_OPS_REPO_PROD_REVISION: main - IOT_CONSUMER_IMAGE: iot-consumer - IOT_CONSUMER_YAML_PATH: ".iot_consumer.tag" - IOT_CONSUMER_BUILT_TAGS_PATH: .iot_consumer.built_tags - IOT_CONSUMER_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_CONSUMER_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_FRONTEND_IMAGE: iot-frontend - IOT_FRONTEND_YAML_PATH: ".iot_frontend.tag" - IOT_FRONTEND_BUILT_TAGS_PATH: ".iot_frontend.built_tags" - IOT_FRONTEND_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_FRONTEND_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_SWSENSOR_IMAGE: iot-software-sensor - IOT_SWSENSOR_YAML_PATH: ".machine_sensor.tag" - IOT_SWSENSOR_BUILT_TAGS_PATH: .machine_sensor.built_tags - IOT_SWSENSOR_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_SWSENSOR_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - IOT_ANOMALY_IMAGE: iot-anomaly-detection - IOT_ANOMALY_YAML_PATH: ".iot_anomaly_detection.tag" - IOT_ANOMALY_BUILT_TAGS_PATH: .iot_anomaly_detection.built_tags - IOT_ANOMALY_TEST_VALUES_PATH: overrides/values-test-imagedata.yaml - IOT_ANOMALY_PROD_VALUES_PATH: overrides/values-prod-imagedata.yaml - -# IOT_CONSUMER_IMAGE: iot-consumer -# IOT_CONSUMER_YAML_PATH: 'images(name==messaging).newTag' -# IOT_CONSUMER_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_CONSUMER_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/messaging/messaging-is.yaml -# IOT_FRONTEND_IMAGE: iot-frontend -# IOT_FRONTEND_YAML_PATH: 'images(name==line-dashboard).newTag' -# IOT_FRONTEND_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_FRONTEND_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/line-dashboard/line-dashboard-is.yaml -# IOT_SWSENSOR_IMAGE: iot-software-sensor -# IOT_SWSENSOR_YAML_PATH: 'images(name==machine-sensor).newTag' -# IOT_SWSENSOR_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_SWSENSOR_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/machine-sensor/machine-sensor-is.yaml -# IOT_ANOMALY_IMAGE: iot-anomaly-detection -# IOT_ANOMALY_YAML_PATH: 'images(name==anomaly-detection).newTag' -# IOT_ANOMALY_TEST_VALUES_PATH: charts/datacenter/manuela-tst/kustomization.yaml -# IOT_ANOMALY_PROD_VALUES_PATH: charts/factory/manuela-stormshift/kustomization.yaml -# IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/templates/anomaly-detection/anomaly-detection-is.yaml ---- -# Source: pipelines/templates/persistent-volume-claims/build-artifacts.rwo.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: build-artifacts-rwo -spec: - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce ---- -# Source: pipelines/templates/persistent-volume-claims/gitrepos.rwo.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: gitrepos-rwo -spec: - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce ---- -# Source: pipelines/templates/pipeline-from-manuela-ci-to-manuela-tst-all.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: admin - namespace: manuela-tst-all -subjects: - - kind: ServiceAccount - name: pipeline - namespace: manuela-ci -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin ---- -# Source: pipelines/templates/pipelines/build-and-test-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - name: argocd-env-secret - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - #value: datacenter-gitops-server.industrial-edge-datacenter.svc - value: "example-gitops-server.mypattern-example.svc" - - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version-iot-anomaly.results.image-tag) -p CONFIGMAP_PREFIX=IOT_ANOMALY -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection -p COMPONENT_NAME=iot-anomaly-detection - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-anomaly-detection ---- -# Source: pipelines/templates/pipelines/build-and-test-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - name: argocd-env-secret - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - #value: datacenter-gitops-server.industrial-edge-datacenter.svc - value: "example-gitops-server.mypattern-example.svc" - - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version-iot-consumer.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer ---- -# Source: pipelines/templates/pipelines/build-and-test.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-and-test -spec: - workspaces: - - name: gitrepos - - name: config - - name: argocd-env-secret - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: build-base-images - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-base-images - - --param - - PATH_CONTEXT=tekton/images/httpd-ionic - - --param - - DEV_REVISION=$(params.DEV_REVISION) - - --param - - OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY=IMAGE_PROVIDER - - --param - - OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY=IMAGE_ACCOUNT - - --param - - OUTPUT_IMAGE_NAME=httpd-ionic - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --showlog - - --nocolour - - - name: build-iot-anomaly-detection - runAfter: - - build-base-images - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-anomaly-detection - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-consumer - runAfter: - - build-iot-anomaly-detection - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-consumer - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-frontend - runAfter: - - build-iot-consumer - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-frontend - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: build-iot-software-sensor - runAfter: - - build-iot-frontend - taskRef: - name: tkn - params: - - name: ARGS - value: - - pipeline - - start - - build-iot-software-sensor - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: git-clone-dev - runAfter: - - build-iot-software-sensor - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-gitops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version - taskRef: - name: bumpversion - runAfter: - - git-clone-gitops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot_consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: build-messaging-image - taskRef: - name: s2i - runAfter: - - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: CHAINED_BUILD_DOCKERFILE - value: "" - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - build-messaging-image -# - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops-test - taskRef: - name: git-commit - runAfter: - - modify-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-test - taskRef: - name: github-push - runAfter: - - commit-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops-test - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - # datacenter-gitops-server.industrial-edge-datacenter.svc - value: "example-gitops-server.mypattern-example.svc" - - # - name: sensor-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully sent messages to broker..." - # - name: consumer-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully processed messages from broker..." - # - name: consumer-frontend-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully executed Websocket APIs..." - # - name: e2e-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - sensor-broker-test - # - consumer-broker-test - # - consumer-frontend-test - # params: - # - name: MESSAGE - # value: "e2e testsuite succesfully executed" - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer - # - name: OPENSHIFT_NAMESPACE - # value: manuela-tst-all - # - name: OPENSHIFT_IMAGESTREAM - # value: messaging ---- -# Source: pipelines/templates/pipelines/build-base-images.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-base-images -spec: - workspaces: - - name: gitrepos - - name: config - params: - - name: PATH_CONTEXT - type: string - default: tekton/images/httpd-ionic - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - type: string - default: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - type: string - default: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - type: string - default: httpd-ionic - - name: DEV_REVISION - type: string - default: main - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: buildah-build - taskRef: - name: buildah - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: $(params.PATH_CONTEXT) - - name: TAG - value: latest - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: $(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY) - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: $(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY) - - name: OUTPUT_IMAGE_NAME - value: $(params.OUTPUT_IMAGE_NAME) ---- -# Source: pipelines/templates/pipelines/build-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-frontend.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-frontend -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-frontend - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-frontend - - name: version_file_path - value: components/iot-frontend/VERSION - - - name: s2i-build-iot-frontend - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-frontend - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: CHAINED_BUILD_DOCKERFILE - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - - name: copy-image-to-remote-registry-iot-frontend - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-frontend - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_FRONTEND_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/build-iot-software-sensor.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: build-iot-software-sensor -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-software-sensor - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-swsensor - - name: version_file_path - value: components/iot-software-sensor/VERSION - - - name: s2i-build-iot-software-sensor - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - - name: copy-image-to-remote-registry-iot-software-sensor - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-software-sensor - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_SWSENSOR_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-test-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/just-pr.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: just-pr -spec: - workspaces: - - name: gitrepos - - name: config - - name: argocd-env-secret - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: $(params.DEV_REVISION) - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-gitops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version - taskRef: - name: bumpversion - runAfter: - - git-clone-gitops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot_consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: build-messaging-image - taskRef: - name: s2i - runAfter: - - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: CHAINED_BUILD_DOCKERFILE - value: "" - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - build-messaging-image -# - bump-build-version - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops-test - taskRef: - name: git-commit - runAfter: - - modify-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-test - taskRef: - name: github-push - runAfter: - - commit-ops-test - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - - name: argocd-sync-application - taskRef: - name: argocd-sync-and-wait - runAfter: - - push-ops-test - workspaces: - - name: argocd-env-secret - workspace: argocd-env-secret - params: - - name: application-name - #value: manuela-test-mypattern-example - value: manuela-test - - name: flags - value: --insecure - - name: argocd-version - value: "v1.5.2" - - name: revision - value: $(params.OPS_REVISION) - - name: argocd-server - # datacenter-gitops-server.industrial-edge-datacenter.svc - value: "example-gitops-server.mypattern-example.svc" - # - name: sensor-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully sent messages to broker..." - # - name: consumer-broker-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully processed messages from broker..." - # - name: consumer-frontend-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - argocd-sync-application - # params: - # - name: MESSAGE - # value: "succesfully executed Websocket APIs..." - # - name: e2e-test - # taskRef: - # name: mock - # kind: Task - # runAfter: - # - sensor-broker-test - # - consumer-broker-test - # - consumer-frontend-test - # params: - # - name: MESSAGE - # value: "e2e testsuite succesfully executed" - - name: test-all - taskRef: - name: tkn - runAfter: - - argocd-sync-application - params: - - name: ARGS - value: - - pipeline - - start - - test-all - - --showlog - - --nocolour - - - name: trigger-staging - taskRef: - name: openshift-instantiate-template - runAfter: - - test-all - params: - - name: TEMPLATE - value: stage-production-pipelinerun - - name: PARAMS - value: -p TAG=$(tasks.bump-build-version.results.image-tag) -p CONFIGMAP_PREFIX=IOT_CONSUMER -p SOURCE_IMAGE=image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging -p COMPONENT_NAME=iot-consumer - - - name: cleanup - taskRef: - name: cleanup - runAfter: - - trigger-staging - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: dev - - name: COMPONENT_NAME - value: iot-consumer - # - name: OPENSHIFT_NAMESPACE - # value: manuela-tst-all - # - name: OPENSHIFT_IMAGESTREAM - # value: messaging ---- -# Source: pipelines/templates/pipelines/seed-iot-anomaly-detection.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-anomaly-detection -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-anomaly - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-anomaly - - name: version_file_path - value: components/iot-anomaly-detection/VERSION - - - name: s2i-build-iot-anomaly - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - - name: copy-image-to-remote-registry-iot-anomaly - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-anomaly - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_ANOMALY_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-anomaly - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-anomaly.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-anomaly - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-consumer.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-consumer -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-consumer - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-consumer - - name: version_file_path - value: components/iot-consumer/VERSION - - - name: s2i-build-iot-consumer - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-consumer - - name: BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - - name: copy-image-to-remote-registry-iot-consumer - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-consumer - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_CONSUMER_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-consumer - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-consumer.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-consumer - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-frontend.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-frontend -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-frontend - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-frontend - - name: version_file_path - value: components/iot-frontend/VERSION - - - name: s2i-build-iot-frontend - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-frontend - - name: BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: CHAINED_BUILD_DOCKERFILE - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - - name: copy-image-to-remote-registry-iot-frontend - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-frontend - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_FRONTEND_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - - name: modify-ops-test-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-frontend - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-frontend.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-frontend - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed-iot-software-sensor.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed-iot-software-sensor -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - - tasks: - - name: git-clone-dev - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_DEV_REPO_URL - - name: revision - value: main - - name: subdirectory - value: dev - - name: deleteExisting - value: "true" - - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - runAfter: - - git-clone-dev - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_TEST_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: bump-build-version-iot-software-sensor - taskRef: - name: bumpversion - runAfter: - - git-clone-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: component_name - value: iot-swsensor - - name: version_file_path - value: components/iot-software-sensor/VERSION - - - name: s2i-build-iot-software-sensor - taskRef: - name: s2i - runAfter: - - bump-build-version-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: build-artifacts - workspace: build-artifacts - params: - - name: TLSVERIFY - value: "false" - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: OUTPUT_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - - name: copy-image-to-remote-registry-iot-software-sensor - taskRef: - name: skopeo-copy - runAfter: - - s2i-build-iot-software-sensor - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: SOURCE_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: TARGET_IMAGE_CONFIGMAPKEY - value: IOT_SWSENSOR_IMAGE - - - name: push-dev-tag - taskRef: - name: github-push - runAfter: - - copy-image-to-remote-registry-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: PUSH_FLAGS - value: --tags - - - name: modify-ops-test-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - push-dev-tag - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: TEST - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: modify-ops-prod-iot-software-sensor - taskRef: - name: gitops-imagetag - runAfter: - - modify-ops-test-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(tasks.bump-build-version-iot-software-sensor.results.image-tag) - - name: subdirectory - value: ops - - - name: commit-ops - taskRef: - name: git-commit - runAfter: - - modify-ops-prod-iot-software-sensor - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops - taskRef: - name: github-push - runAfter: - - commit-ops - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops ---- -# Source: pipelines/templates/pipelines/seed.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: seed -spec: - workspaces: - - name: gitrepos - - name: config - - name: build-artifacts - params: - - name: DEV_REVISION - type: string - default: main - - name: OPS_REVISION - type: string - default: main - tasks: - - name: build-base-images - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - build-base-images - - --param - - PATH_CONTEXT=tekton/images/httpd-ionic - - --param - - OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY=IMAGE_PROVIDER - - --param - - OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY=IMAGE_ACCOUNT - - --param - - OUTPUT_IMAGE_NAME=http-ionic - - --param - - DEV_REVISION=$(params.DEV_REVISION) - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-anomaly-detection - runAfter: - - build-base-images - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-anomaly-detection - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-consumer - runAfter: - - seed-iot-anomaly-detection - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-consumer - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-frontend - runAfter: - - seed-iot-consumer - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-frontend - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour - - - name: seed-iot-software-sensor - runAfter: - - seed-iot-frontend - taskRef: - name: tkn - kind: Task - params: - - name: ARGS - value: - - pipeline - - start - - seed-iot-software-sensor - - --workspace - - name=gitrepos,claimName=gitrepos-rwo - - --workspace - - name=config,config=environment - - --workspace - - name=build-artifacts,claimName=build-artifacts-rwo - - --showlog - - --nocolour ---- -# Source: pipelines/templates/pipelines/stage-production.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: stage-production -spec: - workspaces: - - name: gitrepos - - name: config - - name: github-secret - params: - - name: TAG - type: string - - name: SOURCE_IMAGE - type: string - - name: CONFIGMAP_PREFIX - type: string - - tasks: - - name: git-clone-ops - taskRef: - name: git-clone-with-tags - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: url_configmapkey - value: GIT_OPS_REPO_PROD_URL - - name: revision - value: main - - name: subdirectory - value: ops - - name: deleteExisting - value: "true" - - - name: copy-image-to-remote-registry - taskRef: - name: skopeo-copy - runAfter: - - git-clone-ops - workspaces: - - name: config - workspace: config - params: - - name: TAG - value: $(params.TAG) - - name: SOURCE_IMAGE - value: $(params.SOURCE_IMAGE) - - name: TARGET_IMAGE_CONFIGMAPKEY - value: $(params.CONFIGMAP_PREFIX)_IMAGE - - - name: checkout-staging-branch - taskRef: - name: git-checkout - runAfter: - - copy-image-to-remote-registry - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - name: BRANCH - value: staging-approval - - - name: modify-ops-prod - taskRef: - name: gitops-imagetag - runAfter: - - checkout-staging-branch - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: CONFIGMAP_PREFIX - value: $(params.CONFIGMAP_PREFIX) - - name: ENVIRONMENT - value: PROD - - name: TAG - value: $(params.TAG) - - name: subdirectory - value: ops - - - name: commit-ops-prod - taskRef: - name: git-commit - runAfter: - - modify-ops-prod - workspaces: - - name: gitrepos - workspace: gitrepos - - name: config - workspace: config - params: - - name: subdirectory - value: ops - - - name: push-ops-prod - taskRef: - name: github-push - runAfter: - - commit-ops-prod - workspaces: - - name: gitrepos - workspace: gitrepos - params: - - name: subdirectory - value: ops - - name: PUSH_FLAGS - value: --set-upstream origin staging-approval - - - name: github-pull-request - taskRef: - name: github-add-pull-request - runAfter: - - push-ops-prod - workspaces: - - name: config - workspace: config - - name: github-secret - workspace: github-secret - params: - - name: GITHUB_REPO_CONFIGMAPKEY - value: GIT_OPS_REPO_PROD_URL - - name: GIT_BRANCH_HEAD - value: staging-approval - - name: GIT_BRANCH_BASE - value: main ---- -# Source: pipelines/templates/pipelines/test-all.yaml -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: test-all -spec: - tasks: - - name: sensor-broker-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully sent messages to broker..." - - name: consumer-broker-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully processed messages from broker..." - - name: consumer-frontend-test - taskRef: - name: mock - kind: Task - params: - - name: MESSAGE - value: "succesfully executed Websocket APIs..." - - name: e2e-test - taskRef: - name: mock - kind: Task - runAfter: - - sensor-broker-test - - consumer-broker-test - - consumer-frontend-test - params: - - name: MESSAGE - value: "e2e testsuite succesfully executed" - # - name: fail - # taskRef: - # name: fail - # kind: Task - # runAfter: - # - e2e-test ---- -# Source: pipelines/templates/tasks/argocd-sync-and-wait.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: argocd-sync-and-wait -spec: - workspaces: - - name: argocd-env-secret - params: - - name: application-name - type: string - description: name of the application to sync - - name: revision - type: string - description: the revision to sync to - default: main - - name: flags - type: string - default: -- - - name: argocd-version - type: string - default: v1.5.2 - - name: argocd-server - type: string - default: openshift-gitops-server.openshift-gitops.svc - steps: - - name: login-sync-wait - image: argoproj/argocd:$(params.argocd-version) - command: ["/bin/bash", "-c"] - args: - - if [ -z $ARGOCD_AUTH_TOKEN ]; then - yes | argocd login $(params.argocd-server) --grpc-web $(params.flags) --username=$(cat $(workspaces.argocd-env-secret.path)/ARGOCD_USERNAME) --password=$(cat $(workspaces.argocd-env-secret.path)/ARGOCD_PASSWORD); - fi; - - argocd app sync $(params.application-name) --revision $(params.revision) $(params.flags); - - argocd app wait $(params.application-name) --health $(params.flags); ---- -# Source: pipelines/templates/tasks/buildah.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: buildah -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - results: - - name: image - description: The image+tag that was created - params: - - name: PATH_CONTEXT - default: . - description: The location of the path to run s2i from. - type: string - - name: TLSVERIFY - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - type: string - - name: subdirectory - default: "dev" - description: subdirectory in the gitrepos workspace where the dev repo has been cloned to - type: string - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - type: string - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - type: string - - name: OUTPUT_IMAGE_NAME - type: string - - name: TAG - default: latest - type: string - - name: DOCKERFILE - default: Dockerfile - type: string - steps: - - name: build - image: quay.io/buildah/stable:v1.11.0 - script: | - PROVIDER=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY)) - ACCOUNT=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY)) - OUTPUT_IMAGE="$PROVIDER/$ACCOUNT/$(params.OUTPUT_IMAGE_NAME)" - buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f $(params.DOCKERFILE) -t $OUTPUT_IMAGE - resources: {} - securityContext: - privileged: false - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory)/$(params.PATH_CONTEXT) - - name: push - image: quay.io/buildah/stable:v1.11.0 - script: | - PROVIDER=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY)) - ACCOUNT=$(cat $(workspaces.config.path)/$(params.OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY)) - OUTPUT_IMAGE="$PROVIDER/$ACCOUNT/$(params.OUTPUT_IMAGE_NAME)" - buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) $OUTPUT_IMAGE docker://$OUTPUT_IMAGE:$(params.TAG) - echo -n "$OUTPUT_IMAGE:$(params.TAG)" >$(results.image.path) - resources: {} - securityContext: - privileged: false - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - volumes: - - emptyDir: {} - name: varlibcontainers ---- -# Source: pipelines/templates/tasks/bumpversion.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: bumpversion -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "dev" - - name: component_name - description: component name - type: string - - name: version_file_path - description: path within subdirectory where the base VERSION of the component resides - type: string - results: - - name: image-tag - description: the new build version based on the last tags and VERSION file - - name: git-tag - description: the new build version based on the last tags and VERSION file - steps: - - name: current-tag - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - VERSION_GLOB="build-$(params.component_name)-$(cat $(params.version_file_path))-*" - - # existing tag based on glob - LAST_TAG=$(git tag --sort "version:refname" -l $VERSION_GLOB | tail -n 1) - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] ; then - exit $EXIT_CODE - fi - - # if tag doesn't exist, create new one - if [ "$LAST_TAG" == "" ] ; then - LAST_TAG="build-$(params.component_name)-$(cat $(params.version_file_path))-0" - fi - - # Make sure we don't add a trailing newline to the result! - echo -n "$LAST_TAG" >/scratch/VERSION - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: bump-tag - image: quay.io/hybridcloudpatterns/bumpversiontask:latest - script: | - cd /scratch - echo -e "[bumpversion]\ncurrent_version = $(cat VERSION)" >.bumpversion.cfg - cat <>.bumpversion.cfg - commit = False - tag = False - parse = (?P.*)\-(?P\d+)\.(?P\d+)\.(?P\d+)\-(?P\d+) - serialize = {prefix}-{major}.{minor}.{patch}-{build:03d} - - [bumpversion:part:build] - - [bumpversion:file:VERSION] - EOF - - bump2version build /scratch/VERSION - - sed "s/build-$(params.component_name)-//" /scratch/VERSION >$(results.image-tag.path) - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: tag-repo - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - VERSION=$(cat /scratch/VERSION) - git tag $VERSION - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] ; then - exit $EXIT_CODE - fi - echo -n "$VERSION" > $(results.git-tag.path) - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - volumes: - - emptyDir: {} - name: scratch ---- -# Source: pipelines/templates/tasks/cleanup.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: cleanup -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: dev - - name: COMPONENT_NAME - description: component name - type: string - - name: NUMBER_OF_TAGS_TO_KEEP - type: string - default: "5" - - name: GITHUB_USERNAME_CONFIGMAPKEY - default: user - type: string - - name: GITHUB_TOKEN_CONFIGMAPKEY - default: token - type: string - # - name: OPENSHIFT_NAMESPACE - # default: manuela-tst-all - # type: string - # - name: OPENSHIFT_IMAGESTREAM - # default: messaging - # type: string - steps: - - name: cleanup-git-tags - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - #list build tags for component in repo - BUILD_TAG_GLOB="build-$(params.COMPONENT_NAME)-*" - git tag --sort "version:refname" -l $BUILD_TAG_GLOB >/scratch/tags - - #identify build tags to keep - tail -n $(params.NUMBER_OF_TAGS_TO_KEEP) /scratch/tags >/scratch/keep - - #identify build tags to be deleted - diff /scratch/tags /scratch/keep | grep \^-build | cut -c2- > /scratch/delete - - #delete build tags - for TAG in $(cat /scratch/delete); do - git push origin :$TAG - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - done - volumeMounts: - - mountPath: /scratch - name: scratch - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - # - name: cleanup-test-images - # image: quay.io/openshift/origin-cli:latest - # script: | - # oc get is -n $(params.OPENSHIFT_NAMESPACE) $(params.OPENSHIFT_IMAGESTREAM) -o jsonpath='{.status.tags..tag}' | tr " " "\n" | grep build- | comm -23 - /scratch/keep >/scratch/delete_istags - # EXIT_CODE="$?" - # if [ "$EXIT_CODE" != 0 ] - # then - # exit $EXIT_CODE - # fi - # for TAG in $(cat /scratch/delete_istags); do - # oc tag -n $(params.OPENSHIFT_NAMESPACE) -d $(params.OPENSHIFT_IMAGESTREAM):$TAG - # EXIT_CODE="$?" - # if [ "$EXIT_CODE" != 0 ] - # then - # exit $EXIT_CODE - # fi - # done - # volumeMounts: - # - mountPath: /scratch - # name: scratch - # workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - volumes: - - emptyDir: {} - name: scratch ---- -# Source: pipelines/templates/tasks/fail.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: fail -spec: - steps: - - name: fail - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - exit 1 ---- -# Source: pipelines/templates/tasks/git-checkout.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-checkout -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: BRANCH - description: branch to check out or to create - type: string - default: main - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - results: - - name: commit - description: The precise commit SHA that is HEAD of the checked out branch - steps: - - name: checkout - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - BRANCH=$(params.BRANCH) - git checkout -q --track -b $BRANCH origin/$BRANCH 2>&1 || git checkout -q -b $BRANCH 2>&1 - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - # Make sure we don't add a trailing newline to the result! - echo -n "$RESULT_SHA" > $(results.commit.path) - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/git-clone-with-tags.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-clone-with-tags -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: url_configmapkey - description: git url to clone - type: string - - name: revision - description: git revision to checkout (branch, tag, sha, ref…) - type: string - default: main - - name: submodules - description: defines if the resource should initialize and fetch the submodules - type: string - default: "true" - - name: depth - description: performs a shallow clone where only the most recent commit(s) will be fetched - type: string - default: "1" - - name: sslVerify - description: defines if http.sslVerify should be set to true or false in the global git config - type: string - default: "true" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "" - - name: deleteExisting - description: clean out the contents of the repo's destination directory (if it already exists) before trying to clone the repo there - type: string - default: "false" - results: - - name: commit - description: The precise commit SHA that was fetched by this Task - steps: - - name: clone - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - CHECKOUT_DIR="$(workspaces.gitrepos.path)/$(params.subdirectory)" - - cleandir() { - # Delete any existing contents of the repo directory if it exists. - # - # We don't just "rm -rf $CHECKOUT_DIR" because $CHECKOUT_DIR might be "/" - # or the root of a mounted volume. - if [[ -d "$CHECKOUT_DIR" ]] ; then - # Delete non-hidden files and directories - rm -rf "$CHECKOUT_DIR"/* - # Delete files and directories starting with . but excluding .. - rm -rf "$CHECKOUT_DIR"/.[!.]* - # Delete files and directories starting with .. plus any other character - rm -rf "$CHECKOUT_DIR"/..?* - fi - } - - if [[ "$(params.deleteExisting)" == "true" ]] ; then - cleandir - fi - - /ko-app/git-init \ - -url "$(cat $(workspaces.config.path)/$(params.url_configmapkey))" \ - -revision "$(params.revision)" \ - -path "$CHECKOUT_DIR" \ - -sslVerify="$(params.sslVerify)" \ - -submodules="$(params.submodules)" \ - -depth="$(params.depth)" - cd "$CHECKOUT_DIR" - - git fetch --tags - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - # Seems the go git client checks out master regardless. This allows for 'main' or another branch to be used - git checkout $(params.revision) - git branch --set-upstream-to=origin/$(params.revision) - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - # Make sure we don't add a trailing newline to the result! - echo -n "$RESULT_SHA" > $(results.commit.path) ---- -# Source: pipelines/templates/tasks/git-commit.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-commit -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - description: configmap contents - params: - - name: GIT_EMAIL_CONFIGMAPKEY - default: GIT_EMAIL - type: string - - name: MESSAGE - description: commit message - type: string - default: "change made by Tekton task" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - steps: - - name: commit - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - git diff - git config --global user.email "$(cat $(workspaces.config.path)/$(params.GIT_EMAIL_CONFIGMAPKEY))" - git config --global user.name "Tekton Automation" - git add . - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - - #only commit if there is something which has changed - git diff --staged --quiet || git commit -m "$(params.MESSAGE)" - - EXIT_CODE="$?" - if [ "$EXIT_CODE" != 0 ] - then - exit $EXIT_CODE - fi - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/github-add-pull-request.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: github-add-pull-request -spec: - workspaces: - - name: config - - name: github-secret - params: - - name: PULL_REQUEST_BODY - description: The body to be used for the pull request - type: string - default: "" - - name: PULL_REQUEST_TITLE - description: Title of the pull request - type: string - default: "Pull request created by Tekton task github-add-pull-request" - - name: GITHUB_REPO_CONFIGMAPKEY - description: The github owner/repo to use - type: string - - name: GIT_BRANCH_HEAD - description: The branch to pull from - type: string - default: approve - - name: GIT_BRANCH_BASE - description: The branch to pull into - type: string - default: main - steps: - - name: create-pull-request - image: curlimages/curl - script: | - GITREPO=$(cat $(workspaces.config.path)/$(params.GITHUB_REPO_CONFIGMAPKEY)) - PULLREQUEST_API_ENDPOINT=$(echo -n "$GITREPO" | sed "s|github.com|api.github.com/repos|" | sed "s/\.git$//g")/pulls - curl -v -u :$(cat $(workspaces.github-secret.path)/password) $PULLREQUEST_API_ENDPOINT -d '{"title":"$(params.PULL_REQUEST_TITLE)","body":"$(params.PULL_REQUEST_BODY)","head":"$(params.GIT_BRANCH_HEAD)","base":"$(params.GIT_BRANCH_BASE)"}' ---- -# Source: pipelines/templates/tasks/github-push.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: github-push -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - params: - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "dev" - - name: PUSH_FLAGS - description: additional flags for git push - type: string - default: "" - steps: - - name: push - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3 - script: | - git remote -v - git branch - git branch -r | grep -q origin/$(git rev-parse --abbrev-ref HEAD) && git pull --ff-only --no-edit - git log -n 2 - git push -v $(params.PUSH_FLAGS) - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/gitops-imagetag.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: gitops-imagetag -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: config - params: - - name: CONFIGMAP_PREFIX - type: string - - name: ENVIRONMENT - type: string - default: TEST - description: TEST or PROD - - name: TAG - description: the VERSION tag - type: string - - name: TRUNCATE_IMAGESTREAM_TAGS_AFTER - type: string - description: Number of image stream tags to keep - default: "4" - - name: subdirectory - description: subdirectory inside the "gitrepos" workspace to clone the git repo into - type: string - default: "ops" - steps: - - name: update-tag - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - TAG_VALUE=$(params.TAG) - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - YAML_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_YAML_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_YAML_PATH) : $YAML_PATH" - yq "$YAML_PATH = \"$TAG_VALUE\"" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: update-built-tags - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - TAG_VALUE=$(params.TAG) - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - BUILT_TAGS_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH) : $BUILT_TAGS_PATH" - yq "$BUILT_TAGS_PATH += [ \"$TAG_VALUE\" ]" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: prune-built-tags - image: quay.io/hybridcloudpatterns/yq:latest - script: | - set -x - VALUES_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_$(params.ENVIRONMENT)_VALUES_PATH)" - ls -al $VALUES_PATH - BUILT_TAGS_PATH="$(cat $(workspaces.config.path)/$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH)" - echo "$(params.CONFIGMAP_PREFIX)_BUILT_TAGS_PATH) : $BUILT_TAGS_PATH" - ARRAY_COUNT=$(yq "$BUILT_TAGS_PATH | length" $VALUES_PATH) - echo $ARRAY_COUNT - if [ "$ARRAY_COUNT" -gt "$(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)" ]; then - MIN_KEY=$(echo | yq "$ARRAY_COUNT - $(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)") - yq "del(${BUILT_TAGS_PATH}[] | select(key < $MIN_KEY))" $VALUES_PATH > $VALUES_PATH.tmp - mv $VALUES_PATH.tmp $VALUES_PATH - else - echo "$BUILT_TAGS_PATH currently has $ARRAY_COUNT tags, will prune at $(params.TRUNCATE_IMAGESTREAM_TAGS_AFTER)" - fi - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) ---- -# Source: pipelines/templates/tasks/mock.yaml -kind: Task -apiVersion: tekton.dev/v1beta1 -metadata: - name: mock -spec: - params: - - name: MESSAGE - type: string - description: | - The message to echo. - default: "Hello from mock-task" - steps: - - image: node # contains node - script: | - #!/usr/bin/env node - console.log("$(params.MESSAGE)") ---- -# Source: pipelines/templates/tasks/openshift-instantiate-template.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: openshift-instantiate-template -spec: - params: - - name: TEMPLATE - type: string - - name: PARAMS - type: string - steps: - - name: instantiate-template - image: quay.io/openshift/origin-cli:latest - script: | - oc process $(params.TEMPLATE) $(params.PARAMS) | oc create -f - ---- -# Source: pipelines/templates/tasks/s2i.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: s2i -spec: - workspaces: - - name: gitrepos - description: The git repo will be cloned onto the volume backing this workspace - - name: build-artifacts - description: The maven repo for java builds - results: - - name: image - description: The image+tag that was created - params: - - name: BUILDER_IMAGE - description: The location of the s2i builder image. - type: string - - name: PATH_CONTEXT - default: . - description: The location of the path to run s2i from. - type: string - - name: TLSVERIFY - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - type: string - - name: LOGLEVEL - default: "0" - description: Log level when running the S2I binary - type: string - - name: subdirectory - default: "dev" - description: subdirectory in the gitrepos workspace where the dev repo has been cloned to - type: string - - name: OUTPUT_IMAGE - type: string - - name: TAG - default: latest - type: string -# only for java builds - - name: MAVEN_ARGS_APPEND - default: "" - description: Additional Maven arguments - type: string - - name: MAVEN_CLEAR_REPO - default: "false" - description: Remove the Maven repository after the artifact is built - type: string - - name: MAVEN_MIRROR_URL - default: "" - description: The base URL of a mirror used for retrieving artifacts - type: string - - name: CHAINED_BUILD_DOCKERFILE - default: "" - description: If a chained build is to be executed, the second part of the DOCKERFILE - type: string - steps: - - name: prepare-env - image: quay.io/openshift-pipeline/s2i - script: | - if [[ "$(params.BUILDER_IMAGE)" == *"jdk"* ]] || [[ "$(params.BUILDER_IMAGE)" == *"java"* ]]; then - echo "MAVEN_CLEAR_REPO=$(params.MAVEN_CLEAR_REPO)" > env-file - - [[ '$(params.MAVEN_ARGS_APPEND)' != "" ]] && - echo "MAVEN_ARGS_APPEND=$(params.MAVEN_ARGS_APPEND)" >> env-file - - [[ '$(params.MAVEN_MIRROR_URL)' != "" ]] && - echo "MAVEN_MIRROR_URL=$(params.MAVEN_MIRROR_URL)" >> env-file - - #create build artifacts cache directory - if [[ ! -d $(workspaces.build-artifacts.path)/m2 ]]; then - mkdir $(workspaces.build-artifacts.path)/m2 - chmod a+rwx $(workspaces.build-artifacts.path)/m2 - fi - echo "MAVEN_LOCAL_REPO=/ba/m2" >> env-file - - echo "Generated Env file" - echo "------------------------------" - cat env-file - echo "------------------------------" - - echo "s2i build --loglevel=$(params.LOGLEVEL) $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-params/env-file" >s2icommand - echo "buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f /gen-source/Dockerfile.gen -t `basename $(params.OUTPUT_IMAGE)` -v $(workspaces.build-artifacts.path)/m2:/ba/m2 ." >buildahcommand - fi - volumeMounts: - - mountPath: /env-params - name: envparams - workingDir: /env-params - - name: generate - image: quay.io/openshift-pipeline/s2i - # command: - # - s2i - # - build - # - --loglevel=$(params.LOGLEVEL) - # - $(params.PATH_CONTEXT) - # - $(params.BUILDER_IMAGE) - # - --as-dockerfile - # - /gen-source/Dockerfile.gen - script: | - if [ -f /env-params/s2icommand ]; then - source /env-params/s2icommand - else - s2i build --loglevel=$(params.LOGLEVEL) $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) --as-dockerfile /gen-source/Dockerfile.gen - fi - if [[ -n "$(params.CHAINED_BUILD_DOCKERFILE)" ]]; then - echo "$(params.CHAINED_BUILD_DOCKERFILE)" >>/gen-source/Dockerfile.gen - fi - resources: {} - volumeMounts: - - mountPath: /gen-source - name: gen-source - - mountPath: /env-params - name: envparams - workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory) - - name: build - image: quay.io/buildah/stable:v1.11.0 - script: | - if [ -f /env-params/buildahcommand ]; then - source /env-params/buildahcommand - else - buildah bud --tls-verify=$(params.TLSVERIFY) --storage-driver=vfs -f /gen-source/Dockerfile.gen -t `basename $(params.OUTPUT_IMAGE)` . - fi - resources: {} - securityContext: - privileged: false # LRC Changed from true - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /gen-source - name: gen-source - - mountPath: /env-params - name: envparams - workingDir: /gen-source - - name: push - image: quay.io/buildah/stable:v1.11.0 - script: | - buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) `basename $(params.OUTPUT_IMAGE)` docker://$(params.OUTPUT_IMAGE):$(params.TAG) - echo -n "$(params.OUTPUT_IMAGE):$(params.TAG)" >$(results.image.path) - resources: {} - securityContext: - privileged: false # LRC Changed from true - capabilities: - add: ["SETFCAP"] - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - volumes: - - emptyDir: {} - name: varlibcontainers - - emptyDir: {} - name: gen-source - - emptyDir: {} - name: envparams ---- -# Source: pipelines/templates/tasks/skopeo-copy.yaml -kind: Task -apiVersion: tekton.dev/v1beta1 -metadata: - name: skopeo-copy -spec: - workspaces: - - name: config - description: configmap contents - params: - - name: TAG - type: string - - name: SOURCE_IMAGE - type: string - - name: TARGET_IMAGE_CONFIGMAPKEY - type: string - steps: - - name: skopeo-copy - image: quay.io/redhat-emea-ssa-team/skopeo-ubi:latest - script: | - skopeo copy --src-tls-verify=false --dest-tls-verify=false docker://$(params.SOURCE_IMAGE):$(params.TAG) docker://$(cat $(workspaces.config.path)/IMAGE_PROVIDER)/$(cat $(workspaces.config.path)/IMAGE_ACCOUNT)/$(cat $(workspaces.config.path)/$(params.TARGET_IMAGE_CONFIGMAPKEY)):$(params.TAG) ---- -# Source: pipelines/templates/tasks/tkn.yaml -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: tkn -spec: - params: - - name: tkn-image - description: tkn CLI container image to run this task - default: gcr.io/tekton-releases/dogfooding/tkn - - name: ARGS - type: array - description: tkn CLI arguments to run - steps: - - name: tkn - image: "$(params.tkn-image)" - command: ["/usr/local/bin/tkn"] - args: ["$(params.ARGS)"] ---- -# Source: pipelines/templates/templates/build-image-bumpversion.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-bumpversion -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-bumpversion- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Mi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/bumpversiontask - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: bumpversion ---- -# Source: pipelines/templates/templates/build-image-httpd-ionic.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-httpd-ionic -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-httpd-ionic- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Gi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/httpd-ionic - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: httpd-ionic ---- -# Source: pipelines/templates/templates/build-image-pushprox.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-image-pushprox -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-image-pushprox- - spec: - pipelineRef: - name: build-images - workspaces: - - name: config - configMap: - name: environment - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 128Mi - # persistentVolumeClaim: - # claimName: build-images - params: - - name: PATH_CONTEXT - value: tekton/images/pushprox - - name: OUTPUT_IMAGE_PROVIDER_CONFIGMAPKEY - value: IMAGE_PROVIDER - - name: OUTPUT_IMAGE_ACCOUNT_CONFIGMAPKEY - value: IMAGE_ACCOUNT - - name: OUTPUT_IMAGE_NAME - value: pushprox - - name: DEV_REVISION - value: pushprox ---- -# Source: pipelines/templates/templates/build-iot-anomaly-detection.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-anomaly-detection -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-anomaly-detection- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-anomaly-detection - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/python-38-rhel7 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/anomaly-detection - - name: PATH_CONTEXT - value: components/iot-anomaly-detection - - name: COMPONENT_NAME - value: iot-anomaly - - name: CONFIGMAP_PREFIX - value: IOT_ANOMALY ---- -# Source: pipelines/templates/templates/build-iot-consumer.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-consumer -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-consumer- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-consumer - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: registry.access.redhat.com/rhscl/nodejs-10-rhel7 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/messaging - - name: PATH_CONTEXT - value: components/iot-consumer - - name: COMPONENT_NAME - value: iot-consumer - - name: CONFIGMAP_PREFIX - value: IOT_CONSUMER ---- -# Source: pipelines/templates/templates/build-iot-frontend.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-frontend -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-frontend- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-frontend - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/hybridcloudpatterns/ubi8-s2i-web-app - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/line-dashboard - - name: PATH_CONTEXT - value: components/iot-frontend - - name: COMPONENT_NAME - value: iot-frontend - - name: CONFIGMAP_PREFIX - value: IOT_FRONTEND - - name: CHAINED_BUILD_DOCKERFILE - #value: "FROM centos/httpd-24-centos7\nCOPY --from=0 /opt/app-root/output /var/www/html/" - value: "FROM quay.io/hybridcloudpatterns/httpd-ionic\nCOPY --from=0 /opt/app-root/output /var/www/html/" ---- -# Source: pipelines/templates/templates/build-iot-software-sensor-quarkus.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-software-sensor-quarkus -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-software-sensor-quarkus- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-software-sensor - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: quay.io/quarkus/ubi-quarkus-native-s2i:19.3.1-java11 - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: PATH_CONTEXT - value: components/iot-software-sensor-quarkus - - name: COMPONENT_NAME - value: iot-swsensor - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR ---- -# Source: pipelines/templates/templates/build-iot-software-sensor.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: build-iot-software-sensor -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: build-and-test-iot-software-sensor- - spec: - pipelineRef: - name: build-and-test - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-software-sensor - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - params: - - name: S2I_BUILDER_IMAGE - value: registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift - - name: LOCAL_IMAGE - value: image-registry.openshift-image-registry.svc:5000/manuela-tst-all/machine-sensor - - name: PATH_CONTEXT - value: components/iot-software-sensor - - name: COMPONENT_NAME - value: iot-swsensor - - name: CONFIGMAP_PREFIX - value: IOT_SWSENSOR ---- -# Source: pipelines/templates/templates/seed.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: seed -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: seed- - spec: - pipelineRef: - name: seed - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: build-artifacts - # persistentVolumeClaim: - # claimName: build-artifacts - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - - name: gitrepos - # persistentVolumeClaim: - # claimName: iot-consumer - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: pipelines/templates/templates/stage-production-pipelinerun.yaml -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: stage-production-pipelinerun -objects: -- apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: stage-production-${COMPONENT_NAME}- - spec: - pipelineRef: - name: stage-production - params: - - name: TAG - value: ${TAG} - - name: SOURCE_IMAGE - value: ${SOURCE_IMAGE} - - name: CONFIGMAP_PREFIX - value: ${CONFIGMAP_PREFIX} - workspaces: - - name: config - configMap: - name: environment - - name: argocd-env-secret - secret: - secretName: argocd-env - - name: github-secret - secret: - secretName: git-repo-credentials - - name: gitrepos - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - # persistentVolumeClaim: - # claimName: stage-production -parameters: -- name: TAG -- name: SOURCE_IMAGE -- name: CONFIGMAP_PREFIX -- name: COMPONENT_NAME diff --git a/tests/factory-manuela-stormshift-industrial-edge-factory.expected.yaml b/tests/factory-manuela-stormshift-industrial-edge-factory.expected.yaml deleted file mode 100644 index 1c5256f27..000000000 --- a/tests/factory-manuela-stormshift-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,926 +0,0 @@ ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-configmap.config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: line-dashboard-configmap - namespace: manuela-stormshift-line-dashboard - labels: - app.kubernetes.io/instance: manuela-stormshift -data: - "config.json": |- - { - "websocketHost": "http://messaging-manuela-stormshift-messaging.apps.region.example.com", - "websocketPath": "/api/service-web/socket", - "SERVER_TIMEOUT": "20000" - } ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-1-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-1 - namespace: manuela-stormshift-machine-sensor -data: - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-stormshift-messaging.apps.region.example.com" - MQTT_PORT: "80" - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-1" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_PASSWORD: "iotuser" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "18" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "15" - SENSOR_VIBRATION_PEAKINTETVAL: "20" ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-2-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-2 - namespace: manuela-stormshift-machine-sensor -data: - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-stormshift-messaging.apps.region.example.com" - MQTT_PORT: "80" - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-2" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_PASSWORD: "iotuser" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "17" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "12" - SENSOR_VIBRATION_PEAKINTETVAL: "200" ---- -# Source: manuela-stormshift/templates/messaging-kafka/mqtt2kafka-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: mqtt2kafka-config - namespace: manuela-stormshift-messaging -# DO NOT DELETE. NEEDED BY THE mqtt2kafka-integration SERVICE ---- -# Source: manuela-stormshift/templates/messaging/messaging-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: messaging-configmap - namespace: manuela-stormshift-messaging -data: - VIBRATION_ALERT_ENABLED: "true" - VIBRATION_ANOMALY_ENABLED: "true" - NODE_TLS_REJECT_UNAUTHORIZED: "0" - MQTT_BROKER: "ws://broker-amq-mqtt-all-0-svc:61616" - MQTT_PASSWORD: "iotuser" - MQTT_USER: "iotuser" - PORT: "3000" - SOCKET_PATH: "/api/service-web/socket" - TEMPERATURE_THRESHOLD: "70.0" - TEMPERATURE_ALERT_ENABLED: "true" - TOPIC_GPS: "iot-sensor/sw/gps" - TOPIC_TEMPERATURE: "iot-sensor/sw/temperature" - TOPIC_VIBRATION: "iot-sensor/sw/vibration" - TOPIC_LIGHT: "iot-sensor/sw/light" - ANOMALY_DETECTION_URL: "http://anomaly-detection-predictor:8000" ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: line-dashboard - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: line-dashboard - deploymentconfig: line-dashboard - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-stormshift/templates/messaging/messaging-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: messaging - name: messaging - namespace: manuela-stormshift-messaging -spec: - ports: - - name: 3000-tcp - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: messaging - deploymentconfig: messaging - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: line-dashboard - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentconfig: line-dashboard - template: - metadata: - creationTimestamp: null - labels: - app: line-dashboard - deploymentconfig: line-dashboard - name: line-dashboard - spec: - containers: - - name: line-dashboard - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-line-dashboard/line-dashboard:0.3.1 - #imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - # the following mountpath is used for images which are based on the HTTPD base images, i.e. built using the CI/CD pipelines - - mountPath: /var/www/html/conf - name: line-dashboard-configmap-vol - # the following mountpath is used for images based directly on the NodeJS builder image, i.e. when deploying images built in the iotdemo namespace during quickstart - - mountPath: /opt/app-root/output/conf/config.json - name: line-dashboard-configmap-vol - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: line-dashboard-configmap-vol - configMap: - defaultMode: 438 - name: line-dashboard-configmap ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-1-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-1 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-1 - namespace: manuela-stormshift-machine-sensor -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-1 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: d0db3e611e43225b080d4e6f46dd80633b9e7c49587d32c39bacf82ea50d068b - labels: - application: machine-sensor-1 - deploymentConfig: machine-sensor-1 - name: machine-sensor-1 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-machine-sensor/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-2-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-2 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-2 - namespace: manuela-stormshift-machine-sensor -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-2 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: a44c9424f1b7f9d199f553b8651e0e5dc568e5c58f640c4634a35f1f5b3e5ad9 - labels: - application: machine-sensor-2 - deploymentConfig: machine-sensor-2 - name: machine-sensor-2 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-machine-sensor/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-2 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-stormshift/templates/messaging/messaging-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: messaging - name: messaging - namespace: manuela-stormshift-messaging -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: messaging - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: messaging - deploymentconfig: messaging - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-messaging/messaging:0.3.2 - imagePullPolicy: Always - name: messaging - ports: - - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: - name: messaging-configmap - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /health - port: 3000 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 ---- -# Source: manuela-stormshift/templates/factory-mirror-maker/factory-to-central-mirror-maker2.yaml -#apiVersion: kafka.strimzi.io/v1beta2 -#kind: KafkaMirrorMaker2 -#metadata: -# name: factory-to-central-mm2 -# namespace: manuela-stormshift-messaging -#spec: -# version: 3.1.0 -# replicas: 1 -# connectCluster: production-kafka-cluster -# clusters: -# - alias: production-kafka-cluster -# bootstrapServers: 'bootstrap-manuela-data-lake-kafka-cluster.apps.hub.example.com:443' -# #bootstrapServers: 'bootstrap-manuela-data-lake-kafka-cluster.apps.industrial-factory-1.blueprints.rhecoeng.com:443' -# # -# # TODO: This is a secret that we will need to create in the manuela-stormshift-messaging namespace -# # -# tls: -# trustedCertificates: -# - certificate: ca.crt -# secretName: prod-kafka-cluster-cluster-ca-cert -# - alias: factory-kafka-cluster -# bootstrapServers: 'factory-kafka-cluster-kafka-bootstrap.manuela-stormshift-messaging.svc:9092' -# config: -# config.storage.replication.factor: 1 -# offset.storage.replication.factor: 1 -# status.storage.replication.factor: 1 -# mirrors: -# - sourceCluster: factory-kafka-cluster -# targetCluster: production-kafka-cluster -# sourceConnector: -# config: -# replication.factor: 1 -# offset-syncs.topic.replication.factor: 1 -# sync.topic.acls.enabled: 'false' -# heartbeatConnector: -# config: -# heartbeats.topic.replication.factor: 1 -# checkpointConnector: -# config: -# checkpoints.topic.replication.factor: 1 -# topicsPattern: .* -# groupsPattern: .* ---- -# Source: manuela-stormshift/templates/messaging/amq-broker.yaml -apiVersion: broker.amq.io/v2alpha4 -kind: ActiveMQArtemis -metadata: - name: broker-amq-mqtt - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - deploymentPlan: - size: 1 - image: registry.redhat.io/amq7/amq-broker:7.6 - # requireLogin: false - # persistenceEnabled: false - journalType: nio - messageMigration: false - console: - expose: true - acceptors: - - name: all - port: 61616 - expose: true - # - name: amqp - # protocols: amqp - # port: 5672 - # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: localhost - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ - # - name: mqtt - # protocols: mqtt - # port: 1883 - # # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: broker-amq-mqtt - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ ---- -# Source: manuela-stormshift/templates/anomaly-detection/anomaly-detection-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: anomaly-detection - name: anomaly-detection - namespace: manuela-stormshift-messaging -spec: - lookupPolicy: - local: false - tags: - - name: 0.3.2 - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-anomaly-detection:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-frontend:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: machine-sensor - namespace: manuela-stormshift-machine-sensor -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-software-sensor:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/messaging/messaging-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: messaging - namespace: manuela-stormshift-messaging -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.2" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-consumer:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/messaging-kafka/mqtt2kafka-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: mqtt2kafka-integration - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: mqtt2kafka-config - profile: OpenShift - sources: - - content: | - package com.redhat.manuela.routes; - - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.kafka.KafkaConstants; - import org.apache.camel.model.OnCompletionDefinition; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - - public class MQTT2KafkaRoute extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(MQTT2KafkaRoute.class); - - @Override - public void configure() throws Exception { - storeTemperatureInKafka(); - storeVibrationInKafka(); - //readTemperatureFromKafka(); - //readVibrationFromKafka(); - } - - private void storeTemperatureInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/temperature?brokerUrl=tcp://broker-amq-mqtt-all-0-svc:61616&clientId=MQTT2KafkaRoute-temp") - .log("Storing temperature message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - //.setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void storeVibrationInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/vibration?brokerUrl=tcp://broker-amq-mqtt-all-0-svc:61616&clientId=MQTT2KafkaRoute-vibr") - .log("Storing vibration message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - // .setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void readTemperatureFromKafka() { - from("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - private void readVibrationFromKafka() { - from("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: MQTT2KafkaRoute.java ---- -# Source: manuela-stormshift/templates/messaging-kafka/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - namespace: manuela-stormshift-messaging - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/earlyaccess/all@id=redhat.ea ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: factory-kafka-cluster - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - configuration: - bootstrap: - host: bootstrap-factory-kafka-cluster.apps.region.example.com - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-stormshift/templates/factory-mirror-maker/factory-mirror-maker.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaMirrorMaker -metadata: - name: factory-to-central-mm - namespace: manuela-stormshift-messaging -spec: - consumer: - bootstrapServers: >- - factory-kafka-cluster-kafka-bootstrap.manuela-stormshift-messaging.svc:9092 - groupId: my-source-group-id - include: .* - livenessProbe: - failureThreshold: 2 - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 2 - producer: - bootstrapServers: >- - prod-kafka-cluster-kafka-bootstrap-manuela-data-lake.apps.hub.example.com:443 - tls: - trustedCertificates: - - certificate: ca.crt - secretName: prod-kafka-cluster-cluster-ca-cert - readinessProbe: - failureThreshold: 2 - initialDelaySeconds: 0 - periodSeconds: 1 - successThreshold: 2 - timeoutSeconds: 2 - replicas: 1 - version: 3.1.0 ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-topic-temperature.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-temperature - namespace: manuela-stormshift-messaging - labels: - strimzi.io/cluster: factory-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-topic-vibration.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-vibration - namespace: manuela-stormshift-messaging - labels: - strimzi.io/cluster: factory-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-stormshift/templates/anomaly-detection/iot-anomaly-detection-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: anomaly-detection - namespace: manuela-stormshift-messaging - labels: - component: serving -spec: - port: - targetPort: http - to: - kind: Service - name: anomaly-detection-predictor-anomaly-detection - tls: - insecureEdgeTerminationPolicy: Allow - termination: edge ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: line-dashboard - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - subdomain: line-dashboard-manuela-stormshift-line-dashboard - port: - targetPort: 8080-tcp - to: - kind: Service - name: line-dashboard - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-stormshift/templates/messaging/messaging-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: messaging - namespace: manuela-stormshift-messaging -spec: - subdomain: messaging-manuela-stormshift-messaging - port: - targetPort: 3000-tcp - to: - kind: Service - name: messaging - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-stormshift/templates/anomaly-detection/iot-anomaly-detection-seldon.yaml -apiVersion: machinelearning.seldon.io/v1 -kind: SeldonDeployment -metadata: - name: anomaly-detection - namespace: manuela-stormshift-messaging - labels: - component: serving - annotations: - alpha.image.policy.openshift.io/resolve-names: "*" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - annotations: - deployment_version: "1" - name: anomaly-detection - predictors: - - annotations: - predictor_version: "0.1" - componentSpecs: - - spec: - containers: - - name: anomaly-detection - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-messaging/anomaly-detection:0.3.2 - imagePullPolicy: Always - env: - - name: MODEL_FIILE - value: "model.joblib" - graph: - endpoint: - type: REST - name: anomaly-detection - type: MODEL - name: predictor - replicas: 1 diff --git a/tests/factory-manuela-stormshift-industrial-edge-hub.expected.yaml b/tests/factory-manuela-stormshift-industrial-edge-hub.expected.yaml deleted file mode 100644 index 1c5256f27..000000000 --- a/tests/factory-manuela-stormshift-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,926 +0,0 @@ ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-configmap.config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: line-dashboard-configmap - namespace: manuela-stormshift-line-dashboard - labels: - app.kubernetes.io/instance: manuela-stormshift -data: - "config.json": |- - { - "websocketHost": "http://messaging-manuela-stormshift-messaging.apps.region.example.com", - "websocketPath": "/api/service-web/socket", - "SERVER_TIMEOUT": "20000" - } ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-1-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-1 - namespace: manuela-stormshift-machine-sensor -data: - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-stormshift-messaging.apps.region.example.com" - MQTT_PORT: "80" - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-1" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_PASSWORD: "iotuser" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "18" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "15" - SENSOR_VIBRATION_PEAKINTETVAL: "20" ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-2-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-2 - namespace: manuela-stormshift-machine-sensor -data: - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-stormshift-messaging.apps.region.example.com" - MQTT_PORT: "80" - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-2" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_PASSWORD: "iotuser" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "17" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "12" - SENSOR_VIBRATION_PEAKINTETVAL: "200" ---- -# Source: manuela-stormshift/templates/messaging-kafka/mqtt2kafka-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: mqtt2kafka-config - namespace: manuela-stormshift-messaging -# DO NOT DELETE. NEEDED BY THE mqtt2kafka-integration SERVICE ---- -# Source: manuela-stormshift/templates/messaging/messaging-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: messaging-configmap - namespace: manuela-stormshift-messaging -data: - VIBRATION_ALERT_ENABLED: "true" - VIBRATION_ANOMALY_ENABLED: "true" - NODE_TLS_REJECT_UNAUTHORIZED: "0" - MQTT_BROKER: "ws://broker-amq-mqtt-all-0-svc:61616" - MQTT_PASSWORD: "iotuser" - MQTT_USER: "iotuser" - PORT: "3000" - SOCKET_PATH: "/api/service-web/socket" - TEMPERATURE_THRESHOLD: "70.0" - TEMPERATURE_ALERT_ENABLED: "true" - TOPIC_GPS: "iot-sensor/sw/gps" - TOPIC_TEMPERATURE: "iot-sensor/sw/temperature" - TOPIC_VIBRATION: "iot-sensor/sw/vibration" - TOPIC_LIGHT: "iot-sensor/sw/light" - ANOMALY_DETECTION_URL: "http://anomaly-detection-predictor:8000" ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: line-dashboard - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: line-dashboard - deploymentconfig: line-dashboard - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-stormshift/templates/messaging/messaging-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: messaging - name: messaging - namespace: manuela-stormshift-messaging -spec: - ports: - - name: 3000-tcp - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: messaging - deploymentconfig: messaging - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: line-dashboard - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentconfig: line-dashboard - template: - metadata: - creationTimestamp: null - labels: - app: line-dashboard - deploymentconfig: line-dashboard - name: line-dashboard - spec: - containers: - - name: line-dashboard - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-line-dashboard/line-dashboard:0.3.1 - #imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - # the following mountpath is used for images which are based on the HTTPD base images, i.e. built using the CI/CD pipelines - - mountPath: /var/www/html/conf - name: line-dashboard-configmap-vol - # the following mountpath is used for images based directly on the NodeJS builder image, i.e. when deploying images built in the iotdemo namespace during quickstart - - mountPath: /opt/app-root/output/conf/config.json - name: line-dashboard-configmap-vol - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: line-dashboard-configmap-vol - configMap: - defaultMode: 438 - name: line-dashboard-configmap ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-1-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-1 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-1 - namespace: manuela-stormshift-machine-sensor -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-1 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: d0db3e611e43225b080d4e6f46dd80633b9e7c49587d32c39bacf82ea50d068b - labels: - application: machine-sensor-1 - deploymentConfig: machine-sensor-1 - name: machine-sensor-1 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-machine-sensor/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-2-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-2 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-2 - namespace: manuela-stormshift-machine-sensor -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-2 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: a44c9424f1b7f9d199f553b8651e0e5dc568e5c58f640c4634a35f1f5b3e5ad9 - labels: - application: machine-sensor-2 - deploymentConfig: machine-sensor-2 - name: machine-sensor-2 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-machine-sensor/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-2 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-stormshift/templates/messaging/messaging-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: messaging - name: messaging - namespace: manuela-stormshift-messaging -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: messaging - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: messaging - deploymentconfig: messaging - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-messaging/messaging:0.3.2 - imagePullPolicy: Always - name: messaging - ports: - - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: - name: messaging-configmap - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /health - port: 3000 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 ---- -# Source: manuela-stormshift/templates/factory-mirror-maker/factory-to-central-mirror-maker2.yaml -#apiVersion: kafka.strimzi.io/v1beta2 -#kind: KafkaMirrorMaker2 -#metadata: -# name: factory-to-central-mm2 -# namespace: manuela-stormshift-messaging -#spec: -# version: 3.1.0 -# replicas: 1 -# connectCluster: production-kafka-cluster -# clusters: -# - alias: production-kafka-cluster -# bootstrapServers: 'bootstrap-manuela-data-lake-kafka-cluster.apps.hub.example.com:443' -# #bootstrapServers: 'bootstrap-manuela-data-lake-kafka-cluster.apps.industrial-factory-1.blueprints.rhecoeng.com:443' -# # -# # TODO: This is a secret that we will need to create in the manuela-stormshift-messaging namespace -# # -# tls: -# trustedCertificates: -# - certificate: ca.crt -# secretName: prod-kafka-cluster-cluster-ca-cert -# - alias: factory-kafka-cluster -# bootstrapServers: 'factory-kafka-cluster-kafka-bootstrap.manuela-stormshift-messaging.svc:9092' -# config: -# config.storage.replication.factor: 1 -# offset.storage.replication.factor: 1 -# status.storage.replication.factor: 1 -# mirrors: -# - sourceCluster: factory-kafka-cluster -# targetCluster: production-kafka-cluster -# sourceConnector: -# config: -# replication.factor: 1 -# offset-syncs.topic.replication.factor: 1 -# sync.topic.acls.enabled: 'false' -# heartbeatConnector: -# config: -# heartbeats.topic.replication.factor: 1 -# checkpointConnector: -# config: -# checkpoints.topic.replication.factor: 1 -# topicsPattern: .* -# groupsPattern: .* ---- -# Source: manuela-stormshift/templates/messaging/amq-broker.yaml -apiVersion: broker.amq.io/v2alpha4 -kind: ActiveMQArtemis -metadata: - name: broker-amq-mqtt - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - deploymentPlan: - size: 1 - image: registry.redhat.io/amq7/amq-broker:7.6 - # requireLogin: false - # persistenceEnabled: false - journalType: nio - messageMigration: false - console: - expose: true - acceptors: - - name: all - port: 61616 - expose: true - # - name: amqp - # protocols: amqp - # port: 5672 - # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: localhost - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ - # - name: mqtt - # protocols: mqtt - # port: 1883 - # # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: broker-amq-mqtt - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ ---- -# Source: manuela-stormshift/templates/anomaly-detection/anomaly-detection-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: anomaly-detection - name: anomaly-detection - namespace: manuela-stormshift-messaging -spec: - lookupPolicy: - local: false - tags: - - name: 0.3.2 - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-anomaly-detection:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-frontend:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: machine-sensor - namespace: manuela-stormshift-machine-sensor -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-software-sensor:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/messaging/messaging-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: messaging - namespace: manuela-stormshift-messaging -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.2" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-consumer:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/messaging-kafka/mqtt2kafka-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: mqtt2kafka-integration - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: mqtt2kafka-config - profile: OpenShift - sources: - - content: | - package com.redhat.manuela.routes; - - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.kafka.KafkaConstants; - import org.apache.camel.model.OnCompletionDefinition; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - - public class MQTT2KafkaRoute extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(MQTT2KafkaRoute.class); - - @Override - public void configure() throws Exception { - storeTemperatureInKafka(); - storeVibrationInKafka(); - //readTemperatureFromKafka(); - //readVibrationFromKafka(); - } - - private void storeTemperatureInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/temperature?brokerUrl=tcp://broker-amq-mqtt-all-0-svc:61616&clientId=MQTT2KafkaRoute-temp") - .log("Storing temperature message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - //.setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void storeVibrationInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/vibration?brokerUrl=tcp://broker-amq-mqtt-all-0-svc:61616&clientId=MQTT2KafkaRoute-vibr") - .log("Storing vibration message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - // .setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void readTemperatureFromKafka() { - from("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - private void readVibrationFromKafka() { - from("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: MQTT2KafkaRoute.java ---- -# Source: manuela-stormshift/templates/messaging-kafka/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - namespace: manuela-stormshift-messaging - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/earlyaccess/all@id=redhat.ea ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: factory-kafka-cluster - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - configuration: - bootstrap: - host: bootstrap-factory-kafka-cluster.apps.region.example.com - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-stormshift/templates/factory-mirror-maker/factory-mirror-maker.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaMirrorMaker -metadata: - name: factory-to-central-mm - namespace: manuela-stormshift-messaging -spec: - consumer: - bootstrapServers: >- - factory-kafka-cluster-kafka-bootstrap.manuela-stormshift-messaging.svc:9092 - groupId: my-source-group-id - include: .* - livenessProbe: - failureThreshold: 2 - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 2 - producer: - bootstrapServers: >- - prod-kafka-cluster-kafka-bootstrap-manuela-data-lake.apps.hub.example.com:443 - tls: - trustedCertificates: - - certificate: ca.crt - secretName: prod-kafka-cluster-cluster-ca-cert - readinessProbe: - failureThreshold: 2 - initialDelaySeconds: 0 - periodSeconds: 1 - successThreshold: 2 - timeoutSeconds: 2 - replicas: 1 - version: 3.1.0 ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-topic-temperature.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-temperature - namespace: manuela-stormshift-messaging - labels: - strimzi.io/cluster: factory-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-topic-vibration.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-vibration - namespace: manuela-stormshift-messaging - labels: - strimzi.io/cluster: factory-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-stormshift/templates/anomaly-detection/iot-anomaly-detection-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: anomaly-detection - namespace: manuela-stormshift-messaging - labels: - component: serving -spec: - port: - targetPort: http - to: - kind: Service - name: anomaly-detection-predictor-anomaly-detection - tls: - insecureEdgeTerminationPolicy: Allow - termination: edge ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: line-dashboard - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - subdomain: line-dashboard-manuela-stormshift-line-dashboard - port: - targetPort: 8080-tcp - to: - kind: Service - name: line-dashboard - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-stormshift/templates/messaging/messaging-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: messaging - namespace: manuela-stormshift-messaging -spec: - subdomain: messaging-manuela-stormshift-messaging - port: - targetPort: 3000-tcp - to: - kind: Service - name: messaging - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-stormshift/templates/anomaly-detection/iot-anomaly-detection-seldon.yaml -apiVersion: machinelearning.seldon.io/v1 -kind: SeldonDeployment -metadata: - name: anomaly-detection - namespace: manuela-stormshift-messaging - labels: - component: serving - annotations: - alpha.image.policy.openshift.io/resolve-names: "*" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - annotations: - deployment_version: "1" - name: anomaly-detection - predictors: - - annotations: - predictor_version: "0.1" - componentSpecs: - - spec: - containers: - - name: anomaly-detection - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-messaging/anomaly-detection:0.3.2 - imagePullPolicy: Always - env: - - name: MODEL_FIILE - value: "model.joblib" - graph: - endpoint: - type: REST - name: anomaly-detection - type: MODEL - name: predictor - replicas: 1 diff --git a/tests/factory-manuela-stormshift-medical-diagnosis-hub.expected.yaml b/tests/factory-manuela-stormshift-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 1c5256f27..000000000 --- a/tests/factory-manuela-stormshift-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,926 +0,0 @@ ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-configmap.config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: line-dashboard-configmap - namespace: manuela-stormshift-line-dashboard - labels: - app.kubernetes.io/instance: manuela-stormshift -data: - "config.json": |- - { - "websocketHost": "http://messaging-manuela-stormshift-messaging.apps.region.example.com", - "websocketPath": "/api/service-web/socket", - "SERVER_TIMEOUT": "20000" - } ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-1-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-1 - namespace: manuela-stormshift-machine-sensor -data: - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-stormshift-messaging.apps.region.example.com" - MQTT_PORT: "80" - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-1" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_PASSWORD: "iotuser" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "18" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "15" - SENSOR_VIBRATION_PEAKINTETVAL: "20" ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-2-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-2 - namespace: manuela-stormshift-machine-sensor -data: - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-stormshift-messaging.apps.region.example.com" - MQTT_PORT: "80" - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-2" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_PASSWORD: "iotuser" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "17" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "12" - SENSOR_VIBRATION_PEAKINTETVAL: "200" ---- -# Source: manuela-stormshift/templates/messaging-kafka/mqtt2kafka-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: mqtt2kafka-config - namespace: manuela-stormshift-messaging -# DO NOT DELETE. NEEDED BY THE mqtt2kafka-integration SERVICE ---- -# Source: manuela-stormshift/templates/messaging/messaging-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: messaging-configmap - namespace: manuela-stormshift-messaging -data: - VIBRATION_ALERT_ENABLED: "true" - VIBRATION_ANOMALY_ENABLED: "true" - NODE_TLS_REJECT_UNAUTHORIZED: "0" - MQTT_BROKER: "ws://broker-amq-mqtt-all-0-svc:61616" - MQTT_PASSWORD: "iotuser" - MQTT_USER: "iotuser" - PORT: "3000" - SOCKET_PATH: "/api/service-web/socket" - TEMPERATURE_THRESHOLD: "70.0" - TEMPERATURE_ALERT_ENABLED: "true" - TOPIC_GPS: "iot-sensor/sw/gps" - TOPIC_TEMPERATURE: "iot-sensor/sw/temperature" - TOPIC_VIBRATION: "iot-sensor/sw/vibration" - TOPIC_LIGHT: "iot-sensor/sw/light" - ANOMALY_DETECTION_URL: "http://anomaly-detection-predictor:8000" ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: line-dashboard - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: line-dashboard - deploymentconfig: line-dashboard - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-stormshift/templates/messaging/messaging-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: messaging - name: messaging - namespace: manuela-stormshift-messaging -spec: - ports: - - name: 3000-tcp - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: messaging - deploymentconfig: messaging - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: line-dashboard - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentconfig: line-dashboard - template: - metadata: - creationTimestamp: null - labels: - app: line-dashboard - deploymentconfig: line-dashboard - name: line-dashboard - spec: - containers: - - name: line-dashboard - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-line-dashboard/line-dashboard:0.3.1 - #imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - # the following mountpath is used for images which are based on the HTTPD base images, i.e. built using the CI/CD pipelines - - mountPath: /var/www/html/conf - name: line-dashboard-configmap-vol - # the following mountpath is used for images based directly on the NodeJS builder image, i.e. when deploying images built in the iotdemo namespace during quickstart - - mountPath: /opt/app-root/output/conf/config.json - name: line-dashboard-configmap-vol - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: line-dashboard-configmap-vol - configMap: - defaultMode: 438 - name: line-dashboard-configmap ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-1-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-1 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-1 - namespace: manuela-stormshift-machine-sensor -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-1 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: d0db3e611e43225b080d4e6f46dd80633b9e7c49587d32c39bacf82ea50d068b - labels: - application: machine-sensor-1 - deploymentConfig: machine-sensor-1 - name: machine-sensor-1 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-machine-sensor/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-2-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-2 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-2 - namespace: manuela-stormshift-machine-sensor -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-2 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: a44c9424f1b7f9d199f553b8651e0e5dc568e5c58f640c4634a35f1f5b3e5ad9 - labels: - application: machine-sensor-2 - deploymentConfig: machine-sensor-2 - name: machine-sensor-2 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-machine-sensor/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-2 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-stormshift/templates/messaging/messaging-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: messaging - name: messaging - namespace: manuela-stormshift-messaging -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: messaging - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: messaging - deploymentconfig: messaging - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-messaging/messaging:0.3.2 - imagePullPolicy: Always - name: messaging - ports: - - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: - name: messaging-configmap - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /health - port: 3000 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 ---- -# Source: manuela-stormshift/templates/factory-mirror-maker/factory-to-central-mirror-maker2.yaml -#apiVersion: kafka.strimzi.io/v1beta2 -#kind: KafkaMirrorMaker2 -#metadata: -# name: factory-to-central-mm2 -# namespace: manuela-stormshift-messaging -#spec: -# version: 3.1.0 -# replicas: 1 -# connectCluster: production-kafka-cluster -# clusters: -# - alias: production-kafka-cluster -# bootstrapServers: 'bootstrap-manuela-data-lake-kafka-cluster.apps.hub.example.com:443' -# #bootstrapServers: 'bootstrap-manuela-data-lake-kafka-cluster.apps.industrial-factory-1.blueprints.rhecoeng.com:443' -# # -# # TODO: This is a secret that we will need to create in the manuela-stormshift-messaging namespace -# # -# tls: -# trustedCertificates: -# - certificate: ca.crt -# secretName: prod-kafka-cluster-cluster-ca-cert -# - alias: factory-kafka-cluster -# bootstrapServers: 'factory-kafka-cluster-kafka-bootstrap.manuela-stormshift-messaging.svc:9092' -# config: -# config.storage.replication.factor: 1 -# offset.storage.replication.factor: 1 -# status.storage.replication.factor: 1 -# mirrors: -# - sourceCluster: factory-kafka-cluster -# targetCluster: production-kafka-cluster -# sourceConnector: -# config: -# replication.factor: 1 -# offset-syncs.topic.replication.factor: 1 -# sync.topic.acls.enabled: 'false' -# heartbeatConnector: -# config: -# heartbeats.topic.replication.factor: 1 -# checkpointConnector: -# config: -# checkpoints.topic.replication.factor: 1 -# topicsPattern: .* -# groupsPattern: .* ---- -# Source: manuela-stormshift/templates/messaging/amq-broker.yaml -apiVersion: broker.amq.io/v2alpha4 -kind: ActiveMQArtemis -metadata: - name: broker-amq-mqtt - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - deploymentPlan: - size: 1 - image: registry.redhat.io/amq7/amq-broker:7.6 - # requireLogin: false - # persistenceEnabled: false - journalType: nio - messageMigration: false - console: - expose: true - acceptors: - - name: all - port: 61616 - expose: true - # - name: amqp - # protocols: amqp - # port: 5672 - # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: localhost - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ - # - name: mqtt - # protocols: mqtt - # port: 1883 - # # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: broker-amq-mqtt - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ ---- -# Source: manuela-stormshift/templates/anomaly-detection/anomaly-detection-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: anomaly-detection - name: anomaly-detection - namespace: manuela-stormshift-messaging -spec: - lookupPolicy: - local: false - tags: - - name: 0.3.2 - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-anomaly-detection:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-frontend:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: machine-sensor - namespace: manuela-stormshift-machine-sensor -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-software-sensor:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/messaging/messaging-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: messaging - namespace: manuela-stormshift-messaging -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.2" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-consumer:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/messaging-kafka/mqtt2kafka-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: mqtt2kafka-integration - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: mqtt2kafka-config - profile: OpenShift - sources: - - content: | - package com.redhat.manuela.routes; - - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.kafka.KafkaConstants; - import org.apache.camel.model.OnCompletionDefinition; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - - public class MQTT2KafkaRoute extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(MQTT2KafkaRoute.class); - - @Override - public void configure() throws Exception { - storeTemperatureInKafka(); - storeVibrationInKafka(); - //readTemperatureFromKafka(); - //readVibrationFromKafka(); - } - - private void storeTemperatureInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/temperature?brokerUrl=tcp://broker-amq-mqtt-all-0-svc:61616&clientId=MQTT2KafkaRoute-temp") - .log("Storing temperature message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - //.setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void storeVibrationInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/vibration?brokerUrl=tcp://broker-amq-mqtt-all-0-svc:61616&clientId=MQTT2KafkaRoute-vibr") - .log("Storing vibration message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - // .setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void readTemperatureFromKafka() { - from("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - private void readVibrationFromKafka() { - from("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: MQTT2KafkaRoute.java ---- -# Source: manuela-stormshift/templates/messaging-kafka/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - namespace: manuela-stormshift-messaging - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/earlyaccess/all@id=redhat.ea ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: factory-kafka-cluster - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - configuration: - bootstrap: - host: bootstrap-factory-kafka-cluster.apps.region.example.com - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-stormshift/templates/factory-mirror-maker/factory-mirror-maker.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaMirrorMaker -metadata: - name: factory-to-central-mm - namespace: manuela-stormshift-messaging -spec: - consumer: - bootstrapServers: >- - factory-kafka-cluster-kafka-bootstrap.manuela-stormshift-messaging.svc:9092 - groupId: my-source-group-id - include: .* - livenessProbe: - failureThreshold: 2 - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 2 - producer: - bootstrapServers: >- - prod-kafka-cluster-kafka-bootstrap-manuela-data-lake.apps.hub.example.com:443 - tls: - trustedCertificates: - - certificate: ca.crt - secretName: prod-kafka-cluster-cluster-ca-cert - readinessProbe: - failureThreshold: 2 - initialDelaySeconds: 0 - periodSeconds: 1 - successThreshold: 2 - timeoutSeconds: 2 - replicas: 1 - version: 3.1.0 ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-topic-temperature.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-temperature - namespace: manuela-stormshift-messaging - labels: - strimzi.io/cluster: factory-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-topic-vibration.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-vibration - namespace: manuela-stormshift-messaging - labels: - strimzi.io/cluster: factory-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-stormshift/templates/anomaly-detection/iot-anomaly-detection-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: anomaly-detection - namespace: manuela-stormshift-messaging - labels: - component: serving -spec: - port: - targetPort: http - to: - kind: Service - name: anomaly-detection-predictor-anomaly-detection - tls: - insecureEdgeTerminationPolicy: Allow - termination: edge ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: line-dashboard - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - subdomain: line-dashboard-manuela-stormshift-line-dashboard - port: - targetPort: 8080-tcp - to: - kind: Service - name: line-dashboard - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-stormshift/templates/messaging/messaging-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: messaging - namespace: manuela-stormshift-messaging -spec: - subdomain: messaging-manuela-stormshift-messaging - port: - targetPort: 3000-tcp - to: - kind: Service - name: messaging - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-stormshift/templates/anomaly-detection/iot-anomaly-detection-seldon.yaml -apiVersion: machinelearning.seldon.io/v1 -kind: SeldonDeployment -metadata: - name: anomaly-detection - namespace: manuela-stormshift-messaging - labels: - component: serving - annotations: - alpha.image.policy.openshift.io/resolve-names: "*" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - annotations: - deployment_version: "1" - name: anomaly-detection - predictors: - - annotations: - predictor_version: "0.1" - componentSpecs: - - spec: - containers: - - name: anomaly-detection - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-messaging/anomaly-detection:0.3.2 - imagePullPolicy: Always - env: - - name: MODEL_FIILE - value: "model.joblib" - graph: - endpoint: - type: REST - name: anomaly-detection - type: MODEL - name: predictor - replicas: 1 diff --git a/tests/factory-manuela-stormshift-naked.expected.yaml b/tests/factory-manuela-stormshift-naked.expected.yaml deleted file mode 100644 index a3a86304c..000000000 --- a/tests/factory-manuela-stormshift-naked.expected.yaml +++ /dev/null @@ -1,926 +0,0 @@ ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-configmap.config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: line-dashboard-configmap - namespace: manuela-stormshift-line-dashboard - labels: - app.kubernetes.io/instance: manuela-stormshift -data: - "config.json": |- - { - "websocketHost": "http://messaging-manuela-stormshift-messaging.local.example.com", - "websocketPath": "/api/service-web/socket", - "SERVER_TIMEOUT": "20000" - } ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-1-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-1 - namespace: manuela-stormshift-machine-sensor -data: - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-stormshift-messaging.local.example.com" - MQTT_PORT: "80" - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-1" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_PASSWORD: "iotuser" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "18" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "15" - SENSOR_VIBRATION_PEAKINTETVAL: "20" ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-2-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-2 - namespace: manuela-stormshift-machine-sensor -data: - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-stormshift-messaging.local.example.com" - MQTT_PORT: "80" - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-2" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_PASSWORD: "iotuser" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "17" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "12" - SENSOR_VIBRATION_PEAKINTETVAL: "200" ---- -# Source: manuela-stormshift/templates/messaging-kafka/mqtt2kafka-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: mqtt2kafka-config - namespace: manuela-stormshift-messaging -# DO NOT DELETE. NEEDED BY THE mqtt2kafka-integration SERVICE ---- -# Source: manuela-stormshift/templates/messaging/messaging-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: messaging-configmap - namespace: manuela-stormshift-messaging -data: - VIBRATION_ALERT_ENABLED: "true" - VIBRATION_ANOMALY_ENABLED: "true" - NODE_TLS_REJECT_UNAUTHORIZED: "0" - MQTT_BROKER: "ws://broker-amq-mqtt-all-0-svc:61616" - MQTT_PASSWORD: "iotuser" - MQTT_USER: "iotuser" - PORT: "3000" - SOCKET_PATH: "/api/service-web/socket" - TEMPERATURE_THRESHOLD: "70.0" - TEMPERATURE_ALERT_ENABLED: "true" - TOPIC_GPS: "iot-sensor/sw/gps" - TOPIC_TEMPERATURE: "iot-sensor/sw/temperature" - TOPIC_VIBRATION: "iot-sensor/sw/vibration" - TOPIC_LIGHT: "iot-sensor/sw/light" - ANOMALY_DETECTION_URL: "http://anomaly-detection-predictor:8000" ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: line-dashboard - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: line-dashboard - deploymentconfig: line-dashboard - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-stormshift/templates/messaging/messaging-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: messaging - name: messaging - namespace: manuela-stormshift-messaging -spec: - ports: - - name: 3000-tcp - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: messaging - deploymentconfig: messaging - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: line-dashboard - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentconfig: line-dashboard - template: - metadata: - creationTimestamp: null - labels: - app: line-dashboard - deploymentconfig: line-dashboard - name: line-dashboard - spec: - containers: - - name: line-dashboard - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-line-dashboard/line-dashboard:0.3.1 - #imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - # the following mountpath is used for images which are based on the HTTPD base images, i.e. built using the CI/CD pipelines - - mountPath: /var/www/html/conf - name: line-dashboard-configmap-vol - # the following mountpath is used for images based directly on the NodeJS builder image, i.e. when deploying images built in the iotdemo namespace during quickstart - - mountPath: /opt/app-root/output/conf/config.json - name: line-dashboard-configmap-vol - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: line-dashboard-configmap-vol - configMap: - defaultMode: 438 - name: line-dashboard-configmap ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-1-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-1 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-1 - namespace: manuela-stormshift-machine-sensor -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-1 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 895c15dfcefd9bd3aee00706aa1dbc6fc8a2a583b58e7b3f5fdf946be8be0325 - labels: - application: machine-sensor-1 - deploymentConfig: machine-sensor-1 - name: machine-sensor-1 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-machine-sensor/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-2-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-2 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-2 - namespace: manuela-stormshift-machine-sensor -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-2 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: 1f17f0cd9e3d69dd8fe45d0eab883eefe797cb5ec0b30f856e47298761561fb4 - labels: - application: machine-sensor-2 - deploymentConfig: machine-sensor-2 - name: machine-sensor-2 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-machine-sensor/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-2 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-stormshift/templates/messaging/messaging-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: messaging - name: messaging - namespace: manuela-stormshift-messaging -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: messaging - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: messaging - deploymentconfig: messaging - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-messaging/messaging:0.3.2 - imagePullPolicy: Always - name: messaging - ports: - - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: - name: messaging-configmap - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /health - port: 3000 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 ---- -# Source: manuela-stormshift/templates/factory-mirror-maker/factory-to-central-mirror-maker2.yaml -#apiVersion: kafka.strimzi.io/v1beta2 -#kind: KafkaMirrorMaker2 -#metadata: -# name: factory-to-central-mm2 -# namespace: manuela-stormshift-messaging -#spec: -# version: 3.1.0 -# replicas: 1 -# connectCluster: production-kafka-cluster -# clusters: -# - alias: production-kafka-cluster -# bootstrapServers: 'bootstrap-manuela-data-lake-kafka-cluster.hub.example.com:443' -# #bootstrapServers: 'bootstrap-manuela-data-lake-kafka-cluster.apps.industrial-factory-1.blueprints.rhecoeng.com:443' -# # -# # TODO: This is a secret that we will need to create in the manuela-stormshift-messaging namespace -# # -# tls: -# trustedCertificates: -# - certificate: ca.crt -# secretName: prod-kafka-cluster-cluster-ca-cert -# - alias: factory-kafka-cluster -# bootstrapServers: 'factory-kafka-cluster-kafka-bootstrap.manuela-stormshift-messaging.svc:9092' -# config: -# config.storage.replication.factor: 1 -# offset.storage.replication.factor: 1 -# status.storage.replication.factor: 1 -# mirrors: -# - sourceCluster: factory-kafka-cluster -# targetCluster: production-kafka-cluster -# sourceConnector: -# config: -# replication.factor: 1 -# offset-syncs.topic.replication.factor: 1 -# sync.topic.acls.enabled: 'false' -# heartbeatConnector: -# config: -# heartbeats.topic.replication.factor: 1 -# checkpointConnector: -# config: -# checkpoints.topic.replication.factor: 1 -# topicsPattern: .* -# groupsPattern: .* ---- -# Source: manuela-stormshift/templates/messaging/amq-broker.yaml -apiVersion: broker.amq.io/v2alpha4 -kind: ActiveMQArtemis -metadata: - name: broker-amq-mqtt - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - deploymentPlan: - size: 1 - image: registry.redhat.io/amq7/amq-broker:7.6 - # requireLogin: false - # persistenceEnabled: false - journalType: nio - messageMigration: false - console: - expose: true - acceptors: - - name: all - port: 61616 - expose: true - # - name: amqp - # protocols: amqp - # port: 5672 - # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: localhost - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ - # - name: mqtt - # protocols: mqtt - # port: 1883 - # # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: broker-amq-mqtt - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ ---- -# Source: manuela-stormshift/templates/anomaly-detection/anomaly-detection-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: anomaly-detection - name: anomaly-detection - namespace: manuela-stormshift-messaging -spec: - lookupPolicy: - local: false - tags: - - name: 0.3.2 - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-anomaly-detection:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-frontend:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: machine-sensor - namespace: manuela-stormshift-machine-sensor -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-software-sensor:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/messaging/messaging-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: messaging - namespace: manuela-stormshift-messaging -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.2" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-consumer:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/messaging-kafka/mqtt2kafka-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: mqtt2kafka-integration - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: mqtt2kafka-config - profile: OpenShift - sources: - - content: | - package com.redhat.manuela.routes; - - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.kafka.KafkaConstants; - import org.apache.camel.model.OnCompletionDefinition; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - - public class MQTT2KafkaRoute extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(MQTT2KafkaRoute.class); - - @Override - public void configure() throws Exception { - storeTemperatureInKafka(); - storeVibrationInKafka(); - //readTemperatureFromKafka(); - //readVibrationFromKafka(); - } - - private void storeTemperatureInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "local.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/temperature?brokerUrl=tcp://broker-amq-mqtt-all-0-svc:61616&clientId=MQTT2KafkaRoute-temp") - .log("Storing temperature message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - //.setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void storeVibrationInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "local.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/vibration?brokerUrl=tcp://broker-amq-mqtt-all-0-svc:61616&clientId=MQTT2KafkaRoute-vibr") - .log("Storing vibration message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - // .setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void readTemperatureFromKafka() { - from("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - private void readVibrationFromKafka() { - from("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: MQTT2KafkaRoute.java ---- -# Source: manuela-stormshift/templates/messaging-kafka/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - namespace: manuela-stormshift-messaging - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/earlyaccess/all@id=redhat.ea ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: factory-kafka-cluster - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - configuration: - bootstrap: - host: bootstrap-factory-kafka-cluster.local.example.com - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-stormshift/templates/factory-mirror-maker/factory-mirror-maker.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaMirrorMaker -metadata: - name: factory-to-central-mm - namespace: manuela-stormshift-messaging -spec: - consumer: - bootstrapServers: >- - factory-kafka-cluster-kafka-bootstrap.manuela-stormshift-messaging.svc:9092 - groupId: my-source-group-id - include: .* - livenessProbe: - failureThreshold: 2 - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 2 - producer: - bootstrapServers: >- - prod-kafka-cluster-kafka-bootstrap-manuela-data-lake.hub.example.com:443 - tls: - trustedCertificates: - - certificate: ca.crt - secretName: prod-kafka-cluster-cluster-ca-cert - readinessProbe: - failureThreshold: 2 - initialDelaySeconds: 0 - periodSeconds: 1 - successThreshold: 2 - timeoutSeconds: 2 - replicas: 1 - version: 3.1.0 ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-topic-temperature.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-temperature - namespace: manuela-stormshift-messaging - labels: - strimzi.io/cluster: factory-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-topic-vibration.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-vibration - namespace: manuela-stormshift-messaging - labels: - strimzi.io/cluster: factory-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-stormshift/templates/anomaly-detection/iot-anomaly-detection-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: anomaly-detection - namespace: manuela-stormshift-messaging - labels: - component: serving -spec: - port: - targetPort: http - to: - kind: Service - name: anomaly-detection-predictor-anomaly-detection - tls: - insecureEdgeTerminationPolicy: Allow - termination: edge ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: line-dashboard - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - subdomain: line-dashboard-manuela-stormshift-line-dashboard - port: - targetPort: 8080-tcp - to: - kind: Service - name: line-dashboard - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-stormshift/templates/messaging/messaging-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: messaging - namespace: manuela-stormshift-messaging -spec: - subdomain: messaging-manuela-stormshift-messaging - port: - targetPort: 3000-tcp - to: - kind: Service - name: messaging - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-stormshift/templates/anomaly-detection/iot-anomaly-detection-seldon.yaml -apiVersion: machinelearning.seldon.io/v1 -kind: SeldonDeployment -metadata: - name: anomaly-detection - namespace: manuela-stormshift-messaging - labels: - component: serving - annotations: - alpha.image.policy.openshift.io/resolve-names: "*" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - annotations: - deployment_version: "1" - name: anomaly-detection - predictors: - - annotations: - predictor_version: "0.1" - componentSpecs: - - spec: - containers: - - name: anomaly-detection - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-messaging/anomaly-detection:0.3.2 - imagePullPolicy: Always - env: - - name: MODEL_FIILE - value: "model.joblib" - graph: - endpoint: - type: REST - name: anomaly-detection - type: MODEL - name: predictor - replicas: 1 diff --git a/tests/factory-manuela-stormshift-normal.expected.yaml b/tests/factory-manuela-stormshift-normal.expected.yaml deleted file mode 100644 index 1c5256f27..000000000 --- a/tests/factory-manuela-stormshift-normal.expected.yaml +++ /dev/null @@ -1,926 +0,0 @@ ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-configmap.config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: line-dashboard-configmap - namespace: manuela-stormshift-line-dashboard - labels: - app.kubernetes.io/instance: manuela-stormshift -data: - "config.json": |- - { - "websocketHost": "http://messaging-manuela-stormshift-messaging.apps.region.example.com", - "websocketPath": "/api/service-web/socket", - "SERVER_TIMEOUT": "20000" - } ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-1-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-1 - namespace: manuela-stormshift-machine-sensor -data: - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-stormshift-messaging.apps.region.example.com" - MQTT_PORT: "80" - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-1" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_PASSWORD: "iotuser" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "18" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "15" - SENSOR_VIBRATION_PEAKINTETVAL: "20" ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-2-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-sensor-2 - namespace: manuela-stormshift-machine-sensor -data: - MQTT_HOSTNAME: "broker-amq-mqtt-all-0-svc-rte-manuela-stormshift-messaging.apps.region.example.com" - MQTT_PORT: "80" - APP_NAME: "iot-sensor" - DEVICE_ID: "pump-2" - DEVICE_METRICS: "temperature,vibration,gps,light" - MACHINE_ID: "floor-1-line-1-extruder-1" - - MQTT_PASSWORD: "iotuser" - MQTT_TLSSNI: "false" - MQTT_USER: "iotuser" - - SENSOR_GPS_ENABLED: "false" - SENSOR_GPS_FINAL_LATITUDE: "40.689879" - SENSOR_GPS_FINAL_LONGITUDE: "-73.992895" - SENSOR_GPS_FREQUENCY: "5" - SENSOR_GPS_INITIAL_LATITUDE: "42.579258" - SENSOR_GPS_INITIAL_LONGITUDE: "-71.437841" - SENSOR_GPS_ITERATION_LATITUDE: "-0.009" - SENSOR_GPS_ITERATION_LONGITUDE: "-0.012" - - SENSOR_LIGHT_ENABLED: "false" - SENSOR_LIGHT_FREQUENCY: "5" - SENSOR_LIGHT_MAXITERATION: "3" - SENSOR_LIGHT_MAXRANGE: "25000" - SENSOR_LIGHT_MINITERATION: "0" - SENSOR_LIGHT_MINRANGE: "0" - SENSOR_LIGHT_START: "0" - - SENSOR_TEMPERATURE_ENABLED: "false" - SENSOR_TEMPERATURE_FREQUENCY: "5" - SENSOR_TEMPERATURE_MAXITERATION: "1" - SENSOR_TEMPERATURE_MAXRANGE: "55" - SENSOR_TEMPERATURE_MINITERATION: "0" - SENSOR_TEMPERATURE_MINRANGE: "45" - SENSOR_TEMPERATURE_STARTMAX: "50" - SENSOR_TEMPERATURE_STARTMIN: "50" - - SENSOR_VIBRATION_ENABLED: "true" - SENSOR_VIBRATION_FREQUENC: "5" - SENSOR_VIBRATION_MAXITERATION: "1" - SENSOR_VIBRATION_MAXRANGE: "17" - SENSOR_VIBRATION_MINITERATION: "0" - SENSOR_VIBRATION_MINRANGE: "10" - SENSOR_VIBRATION_START: "12" - SENSOR_VIBRATION_PEAKINTETVAL: "200" ---- -# Source: manuela-stormshift/templates/messaging-kafka/mqtt2kafka-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: mqtt2kafka-config - namespace: manuela-stormshift-messaging -# DO NOT DELETE. NEEDED BY THE mqtt2kafka-integration SERVICE ---- -# Source: manuela-stormshift/templates/messaging/messaging-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: messaging-configmap - namespace: manuela-stormshift-messaging -data: - VIBRATION_ALERT_ENABLED: "true" - VIBRATION_ANOMALY_ENABLED: "true" - NODE_TLS_REJECT_UNAUTHORIZED: "0" - MQTT_BROKER: "ws://broker-amq-mqtt-all-0-svc:61616" - MQTT_PASSWORD: "iotuser" - MQTT_USER: "iotuser" - PORT: "3000" - SOCKET_PATH: "/api/service-web/socket" - TEMPERATURE_THRESHOLD: "70.0" - TEMPERATURE_ALERT_ENABLED: "true" - TOPIC_GPS: "iot-sensor/sw/gps" - TOPIC_TEMPERATURE: "iot-sensor/sw/temperature" - TOPIC_VIBRATION: "iot-sensor/sw/vibration" - TOPIC_LIGHT: "iot-sensor/sw/light" - ANOMALY_DETECTION_URL: "http://anomaly-detection-predictor:8000" ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: line-dashboard - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: line-dashboard - deploymentconfig: line-dashboard - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-stormshift/templates/messaging/messaging-svc.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: messaging - name: messaging - namespace: manuela-stormshift-messaging -spec: - ports: - - name: 3000-tcp - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: messaging - deploymentconfig: messaging - sessionAffinity: None - type: ClusterIP ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: line-dashboard - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentconfig: line-dashboard - template: - metadata: - creationTimestamp: null - labels: - app: line-dashboard - deploymentconfig: line-dashboard - name: line-dashboard - spec: - containers: - - name: line-dashboard - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-line-dashboard/line-dashboard:0.3.1 - #imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - # the following mountpath is used for images which are based on the HTTPD base images, i.e. built using the CI/CD pipelines - - mountPath: /var/www/html/conf - name: line-dashboard-configmap-vol - # the following mountpath is used for images based directly on the NodeJS builder image, i.e. when deploying images built in the iotdemo namespace during quickstart - - mountPath: /opt/app-root/output/conf/config.json - name: line-dashboard-configmap-vol - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /home - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: line-dashboard-configmap-vol - configMap: - defaultMode: 438 - name: line-dashboard-configmap ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-1-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-1 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-1 - namespace: manuela-stormshift-machine-sensor -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-1 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: d0db3e611e43225b080d4e6f46dd80633b9e7c49587d32c39bacf82ea50d068b - labels: - application: machine-sensor-1 - deploymentConfig: machine-sensor-1 - name: machine-sensor-1 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-machine-sensor/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-2-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: machine-sensor-2 - template: openjdk18-web-basic-s2i - app.kubernetes.io/part-of: ManuELA - name: machine-sensor-2 - namespace: manuela-stormshift-machine-sensor -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - deploymentConfig: machine-sensor-2 - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: a44c9424f1b7f9d199f553b8651e0e5dc568e5c58f640c4634a35f1f5b3e5ad9 - labels: - application: machine-sensor-2 - deploymentConfig: machine-sensor-2 - name: machine-sensor-2 - spec: - containers: - - name: machine-sensor - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-machine-sensor/machine-sensor:0.3.1 - imagePullPolicy: Always - ports: - - containerPort: 8778 - name: jolokia - protocol: TCP - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 8443 - name: https - protocol: TCP - envFrom: - - configMapRef: - name: machine-sensor-2 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /actuator/health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /actuator/health - port: 8080 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 ---- -# Source: manuela-stormshift/templates/messaging/messaging-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - application: messaging - name: messaging - namespace: manuela-stormshift-messaging -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: messaging - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: messaging - deploymentconfig: messaging - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-messaging/messaging:0.3.2 - imagePullPolicy: Always - name: messaging - ports: - - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: - name: messaging-configmap - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /health - port: 3000 - scheme: HTTP - initialDelaySeconds: 15 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 ---- -# Source: manuela-stormshift/templates/factory-mirror-maker/factory-to-central-mirror-maker2.yaml -#apiVersion: kafka.strimzi.io/v1beta2 -#kind: KafkaMirrorMaker2 -#metadata: -# name: factory-to-central-mm2 -# namespace: manuela-stormshift-messaging -#spec: -# version: 3.1.0 -# replicas: 1 -# connectCluster: production-kafka-cluster -# clusters: -# - alias: production-kafka-cluster -# bootstrapServers: 'bootstrap-manuela-data-lake-kafka-cluster.apps.hub.example.com:443' -# #bootstrapServers: 'bootstrap-manuela-data-lake-kafka-cluster.apps.industrial-factory-1.blueprints.rhecoeng.com:443' -# # -# # TODO: This is a secret that we will need to create in the manuela-stormshift-messaging namespace -# # -# tls: -# trustedCertificates: -# - certificate: ca.crt -# secretName: prod-kafka-cluster-cluster-ca-cert -# - alias: factory-kafka-cluster -# bootstrapServers: 'factory-kafka-cluster-kafka-bootstrap.manuela-stormshift-messaging.svc:9092' -# config: -# config.storage.replication.factor: 1 -# offset.storage.replication.factor: 1 -# status.storage.replication.factor: 1 -# mirrors: -# - sourceCluster: factory-kafka-cluster -# targetCluster: production-kafka-cluster -# sourceConnector: -# config: -# replication.factor: 1 -# offset-syncs.topic.replication.factor: 1 -# sync.topic.acls.enabled: 'false' -# heartbeatConnector: -# config: -# heartbeats.topic.replication.factor: 1 -# checkpointConnector: -# config: -# checkpoints.topic.replication.factor: 1 -# topicsPattern: .* -# groupsPattern: .* ---- -# Source: manuela-stormshift/templates/messaging/amq-broker.yaml -apiVersion: broker.amq.io/v2alpha4 -kind: ActiveMQArtemis -metadata: - name: broker-amq-mqtt - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - deploymentPlan: - size: 1 - image: registry.redhat.io/amq7/amq-broker:7.6 - # requireLogin: false - # persistenceEnabled: false - journalType: nio - messageMigration: false - console: - expose: true - acceptors: - - name: all - port: 61616 - expose: true - # - name: amqp - # protocols: amqp - # port: 5672 - # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: localhost - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ - # - name: mqtt - # protocols: mqtt - # port: 1883 - # # sslEnabled: true - # enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - # enabledProtocols: TLSv1,TLSv1.1,TLSv1.2 - # needClientAuth: true - # wantClientAuth: true - # verifyHost: true - # sslProvider: JDK - # sniHost: broker-amq-mqtt - # expose: true - # anycastPrefix: jms.topic. - # multicastPrefix: /queue/ ---- -# Source: manuela-stormshift/templates/anomaly-detection/anomaly-detection-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - labels: - application: anomaly-detection - name: anomaly-detection - namespace: manuela-stormshift-messaging -spec: - lookupPolicy: - local: false - tags: - - name: 0.3.2 - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-anomaly-detection:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-frontend:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/machine-sensor/machine-sensor-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: machine-sensor - namespace: manuela-stormshift-machine-sensor -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.1" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-software-sensor:0.3.1 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/messaging/messaging-is.yaml -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: messaging - namespace: manuela-stormshift-messaging -spec: - lookupPolicy: - local: true - tags: - - name: "0.3.2" - from: - kind: DockerImage - name: quay.io/hybridcloudpatterns/iot-consumer:0.3.2 - importPolicy: {} - referencePolicy: - type: Local ---- -# Source: manuela-stormshift/templates/messaging-kafka/mqtt2kafka-integration.yaml -apiVersion: camel.apache.org/v1 -kind: Integration -metadata: - name: mqtt2kafka-integration - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: configmap - value: mqtt2kafka-config - profile: OpenShift - sources: - - content: | - package com.redhat.manuela.routes; - - import org.apache.camel.builder.RouteBuilder; - import org.apache.camel.component.kafka.KafkaConstants; - import org.apache.camel.model.OnCompletionDefinition; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - - public class MQTT2KafkaRoute extends RouteBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(MQTT2KafkaRoute.class); - - @Override - public void configure() throws Exception { - storeTemperatureInKafka(); - storeVibrationInKafka(); - //readTemperatureFromKafka(); - //readVibrationFromKafka(); - } - - private void storeTemperatureInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/temperature?brokerUrl=tcp://broker-amq-mqtt-all-0-svc:61616&clientId=MQTT2KafkaRoute-temp") - .log("Storing temperature message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - //.setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void storeVibrationInKafka() { - // This block is to extract the cluster name from our VP - // localClusterDomain setting. Please see the config map. - String temp = "apps.region.example.com"; - String delims="[ . ]+"; - String [] tokens = temp.split(delims); - String cluster_name = tokens[1]; - - from("paho:iot-sensor/sw/vibration?brokerUrl=tcp://broker-amq-mqtt-all-0-svc:61616&clientId=MQTT2KafkaRoute-vibr") - .log("Storing vibration message from [" + cluster_name + "] MQTT: ${body}") - .setHeader(KafkaConstants.KEY, constant(cluster_name)) - // .setHeader(KafkaConstants.KEY, constant("sensor-temp")) - .to("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - ;//.log("sent message: ${headers[org.apache.kafka.clients.producer.RecordMetadata]}"); - } - - private void readTemperatureFromKafka() { - from("kafka:manuela-factory.iot-sensor-sw-temperature?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - private void readVibrationFromKafka() { - from("kafka:manuela-factory.iot-sensor-sw-vibration?brokers=factory-kafka-cluster-kafka-bootstrap:9092") - .log("Reading message from Kafka: ${body}") - .log(" on the topic ${headers[kafka.TOPIC]}") - .log(" on the partition ${headers[kafka.PARTITION]}") - .log(" with the offset ${headers[kafka.OFFSET]}") - .log(" with the key ${headers[kafka.KEY]}"); - } - - @Override - public OnCompletionDefinition onCompletion() { - return super.onCompletion(); - } - } - name: MQTT2KafkaRoute.java ---- -# Source: manuela-stormshift/templates/messaging-kafka/camel-k-integration-platform.yaml -apiVersion: camel.apache.org/v1 -kind: IntegrationPlatform -metadata: - name: camel-k - namespace: manuela-stormshift-messaging - labels: - app: "camel-k" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - configuration: - - type: repository - value: https://maven.repository.redhat.com/earlyaccess/all@id=redhat.ea ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-cluster.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: Kafka -metadata: - name: factory-kafka-cluster - namespace: manuela-stormshift-messaging - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - kafka: - replicas: 3 - listeners: - - name: plain - port: 9092 - type: internal - tls: false - - name: tls - port: 9093 - type: internal - tls: true - - name: external - port: 9094 - type: route - tls: true - configuration: - bootstrap: - host: bootstrap-factory-kafka-cluster.apps.region.example.com - config: - offsets.topic.replication.factor: 3 - transaction.state.log.min.isr: 2 - transaction.state.log.replication.factor: 3 - storage: - type: ephemeral - zookeeper: - replicas: 3 - storage: - type: ephemeral - entityOperator: - topicOperator: {} - userOperator: {} ---- -# Source: manuela-stormshift/templates/factory-mirror-maker/factory-mirror-maker.yaml -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaMirrorMaker -metadata: - name: factory-to-central-mm - namespace: manuela-stormshift-messaging -spec: - consumer: - bootstrapServers: >- - factory-kafka-cluster-kafka-bootstrap.manuela-stormshift-messaging.svc:9092 - groupId: my-source-group-id - include: .* - livenessProbe: - failureThreshold: 2 - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 2 - producer: - bootstrapServers: >- - prod-kafka-cluster-kafka-bootstrap-manuela-data-lake.apps.hub.example.com:443 - tls: - trustedCertificates: - - certificate: ca.crt - secretName: prod-kafka-cluster-cluster-ca-cert - readinessProbe: - failureThreshold: 2 - initialDelaySeconds: 0 - periodSeconds: 1 - successThreshold: 2 - timeoutSeconds: 2 - replicas: 1 - version: 3.1.0 ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-topic-temperature.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-temperature - namespace: manuela-stormshift-messaging - labels: - strimzi.io/cluster: factory-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-stormshift/templates/messaging-kafka/kafka-topic-vibration.yaml -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: iot-sensor-sw-vibration - namespace: manuela-stormshift-messaging - labels: - strimzi.io/cluster: factory-kafka-cluster - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - partitions: 1 - replicas: 1 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -# Source: manuela-stormshift/templates/anomaly-detection/iot-anomaly-detection-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: anomaly-detection - namespace: manuela-stormshift-messaging - labels: - component: serving -spec: - port: - targetPort: http - to: - kind: Service - name: anomaly-detection-predictor-anomaly-detection - tls: - insecureEdgeTerminationPolicy: Allow - termination: edge ---- -# Source: manuela-stormshift/templates/line-dashboard/line-dashboard-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: line-dashboard - name: line-dashboard - namespace: manuela-stormshift-line-dashboard -spec: - subdomain: line-dashboard-manuela-stormshift-line-dashboard - port: - targetPort: 8080-tcp - to: - kind: Service - name: line-dashboard - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-stormshift/templates/messaging/messaging-route.yaml -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: messaging - namespace: manuela-stormshift-messaging -spec: - subdomain: messaging-manuela-stormshift-messaging - port: - targetPort: 3000-tcp - to: - kind: Service - name: messaging - weight: 100 - wildcardPolicy: None ---- -# Source: manuela-stormshift/templates/anomaly-detection/iot-anomaly-detection-seldon.yaml -apiVersion: machinelearning.seldon.io/v1 -kind: SeldonDeployment -metadata: - name: anomaly-detection - namespace: manuela-stormshift-messaging - labels: - component: serving - annotations: - alpha.image.policy.openshift.io/resolve-names: "*" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - annotations: - deployment_version: "1" - name: anomaly-detection - predictors: - - annotations: - predictor_version: "0.1" - componentSpecs: - - spec: - containers: - - name: anomaly-detection - image: image-registry.openshift-image-registry.svc:5000/manuela-stormshift-messaging/anomaly-detection:0.3.2 - imagePullPolicy: Always - env: - - name: MODEL_FIILE - value: "model.joblib" - graph: - endpoint: - type: REST - name: anomaly-detection - type: MODEL - name: predictor - replicas: 1 diff --git a/tests/secrets-pipeline-setup-industrial-edge-factory.expected.yaml b/tests/secrets-pipeline-setup-industrial-edge-factory.expected.yaml deleted file mode 100644 index fdaa3ee7a..000000000 --- a/tests/secrets-pipeline-setup-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Source: pipeline-install/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: manuela-ci - labels: - manuela-role: pipeline - app.kubernetes.io/instance: manuela - #argocd.argoproj.io/managed-by: openshift-gitops -spec: - finalizers: - - kubernetes ---- -# Source: pipeline-install/templates/pipeline/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: -# pipeline is configured in the openshift-pipelines namespace as the default serviceaccount for pipelineruns -# So let's use that as our primary serviceaccount -# To change this setting, edit the configmap config-defaults in ns openshift-pipelines - name: pipeline - namespace: manuela-ci -secrets: -- name: git-repo-credentials -- name: image-registry-credentials diff --git a/tests/secrets-pipeline-setup-industrial-edge-hub.expected.yaml b/tests/secrets-pipeline-setup-industrial-edge-hub.expected.yaml deleted file mode 100644 index fdaa3ee7a..000000000 --- a/tests/secrets-pipeline-setup-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Source: pipeline-install/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: manuela-ci - labels: - manuela-role: pipeline - app.kubernetes.io/instance: manuela - #argocd.argoproj.io/managed-by: openshift-gitops -spec: - finalizers: - - kubernetes ---- -# Source: pipeline-install/templates/pipeline/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: -# pipeline is configured in the openshift-pipelines namespace as the default serviceaccount for pipelineruns -# So let's use that as our primary serviceaccount -# To change this setting, edit the configmap config-defaults in ns openshift-pipelines - name: pipeline - namespace: manuela-ci -secrets: -- name: git-repo-credentials -- name: image-registry-credentials diff --git a/tests/secrets-pipeline-setup-medical-diagnosis-hub.expected.yaml b/tests/secrets-pipeline-setup-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index fdaa3ee7a..000000000 --- a/tests/secrets-pipeline-setup-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Source: pipeline-install/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: manuela-ci - labels: - manuela-role: pipeline - app.kubernetes.io/instance: manuela - #argocd.argoproj.io/managed-by: openshift-gitops -spec: - finalizers: - - kubernetes ---- -# Source: pipeline-install/templates/pipeline/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: -# pipeline is configured in the openshift-pipelines namespace as the default serviceaccount for pipelineruns -# So let's use that as our primary serviceaccount -# To change this setting, edit the configmap config-defaults in ns openshift-pipelines - name: pipeline - namespace: manuela-ci -secrets: -- name: git-repo-credentials -- name: image-registry-credentials diff --git a/tests/secrets-pipeline-setup-naked.expected.yaml b/tests/secrets-pipeline-setup-naked.expected.yaml deleted file mode 100644 index fdaa3ee7a..000000000 --- a/tests/secrets-pipeline-setup-naked.expected.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Source: pipeline-install/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: manuela-ci - labels: - manuela-role: pipeline - app.kubernetes.io/instance: manuela - #argocd.argoproj.io/managed-by: openshift-gitops -spec: - finalizers: - - kubernetes ---- -# Source: pipeline-install/templates/pipeline/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: -# pipeline is configured in the openshift-pipelines namespace as the default serviceaccount for pipelineruns -# So let's use that as our primary serviceaccount -# To change this setting, edit the configmap config-defaults in ns openshift-pipelines - name: pipeline - namespace: manuela-ci -secrets: -- name: git-repo-credentials -- name: image-registry-credentials diff --git a/tests/secrets-pipeline-setup-normal.expected.yaml b/tests/secrets-pipeline-setup-normal.expected.yaml deleted file mode 100644 index fdaa3ee7a..000000000 --- a/tests/secrets-pipeline-setup-normal.expected.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Source: pipeline-install/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: manuela-ci - labels: - manuela-role: pipeline - app.kubernetes.io/instance: manuela - #argocd.argoproj.io/managed-by: openshift-gitops -spec: - finalizers: - - kubernetes ---- -# Source: pipeline-install/templates/pipeline/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: -# pipeline is configured in the openshift-pipelines namespace as the default serviceaccount for pipelineruns -# So let's use that as our primary serviceaccount -# To change this setting, edit the configmap config-defaults in ns openshift-pipelines - name: pipeline - namespace: manuela-ci -secrets: -- name: git-repo-credentials -- name: image-registry-credentials