kcr_external_secrets_io 3.20260124.94613

Kubernetes Custom Resource Bindings
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424

// WARNING: generated by kopium - manual changes will be overwritten
// kopium command: kopium --docs --derive=Default --derive=PartialEq --smart-derive-elision --filename crd-catalog/external-secrets/external-secrets/external-secrets.io/v1alpha1/pushsecrets.yaml
// kopium version: 0.22.5

#[allow(unused_imports)]
mod prelude {
    pub use kube::CustomResource;
    pub use serde::{Serialize, Deserialize};
    pub use std::collections::BTreeMap;
    pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
}
use self::prelude::*;

/// PushSecretSpec configures the behavior of the PushSecret.
#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
#[kube(group = "external-secrets.io", version = "v1alpha1", kind = "PushSecret", plural = "pushsecrets")]
#[kube(namespaced)]
#[kube(status = "PushSecretStatus")]
#[kube(schema = "disabled")]
#[kube(derive="Default")]
#[kube(derive="PartialEq")]
pub struct PushSecretSpec {
    /// Secret Data that should be pushed to providers
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub data: Option<Vec<PushSecretData>>,
    /// Deletion Policy to handle Secrets in the provider.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "deletionPolicy")]
    pub deletion_policy: Option<PushSecretDeletionPolicy>,
    /// The Interval to which External Secrets will try to push a secret definition
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "refreshInterval")]
    pub refresh_interval: Option<String>,
    #[serde(rename = "secretStoreRefs")]
    pub secret_store_refs: Vec<PushSecretSecretStoreRefs>,
    /// The Secret Selector (k8s source) for the Push Secret
    pub selector: PushSecretSelector,
    /// Template defines a blueprint for the created Secret resource.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub template: Option<PushSecretTemplate>,
    /// UpdatePolicy to handle Secrets in the provider.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "updatePolicy")]
    pub update_policy: Option<PushSecretUpdatePolicy>,
}

/// PushSecretData defines data to be pushed to the provider and associated metadata.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretData {
    /// Used to define a conversion Strategy for the secret keys
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "conversionStrategy")]
    pub conversion_strategy: Option<PushSecretDataConversionStrategy>,
    /// Match a given Secret Key to be pushed to the provider.
    #[serde(rename = "match")]
    pub r#match: PushSecretDataMatch,
    /// Metadata is metadata attached to the secret.
    /// The structure of metadata is provider specific, please look it up in the provider documentation.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub metadata: Option<serde_json::Value>,
}

/// PushSecretData defines data to be pushed to the provider and associated metadata.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum PushSecretDataConversionStrategy {
    None,
    ReverseUnicode,
}

/// Match a given Secret Key to be pushed to the provider.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretDataMatch {
    /// Remote Refs to push to providers.
    #[serde(rename = "remoteRef")]
    pub remote_ref: PushSecretDataMatchRemoteRef,
    /// Secret Key to be pushed
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretKey")]
    pub secret_key: Option<String>,
}

/// Remote Refs to push to providers.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretDataMatchRemoteRef {
    /// Name of the property in the resulting secret
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub property: Option<String>,
    /// Name of the resulting provider secret.
    #[serde(rename = "remoteKey")]
    pub remote_key: String,
}

/// PushSecretSpec configures the behavior of the PushSecret.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum PushSecretDeletionPolicy {
    Delete,
    None,
}

/// PushSecretStoreRef contains a reference on how to sync to a SecretStore.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretSecretStoreRefs {
    /// Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub kind: Option<PushSecretSecretStoreRefsKind>,
    /// Optionally, sync to secret stores with label selector
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
    pub label_selector: Option<PushSecretSecretStoreRefsLabelSelector>,
    /// Optionally, sync to the SecretStore of the given name
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
}

/// PushSecretStoreRef contains a reference on how to sync to a SecretStore.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum PushSecretSecretStoreRefsKind {
    SecretStore,
    ClusterSecretStore,
}

/// Optionally, sync to secret stores with label selector
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretSecretStoreRefsLabelSelector {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
    pub match_expressions: Option<Vec<PushSecretSecretStoreRefsLabelSelectorMatchExpressions>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
    pub match_labels: Option<BTreeMap<String, String>>,
}

/// A label selector requirement is a selector that contains values, a key, and an operator that
/// relates the key and values.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretSecretStoreRefsLabelSelectorMatchExpressions {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values.
    /// Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: String,
    /// values is an array of string values. If the operator is In or NotIn,
    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
    /// the values array must be empty. This array is replaced during a strategic
    /// merge patch.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub values: Option<Vec<String>>,
}

/// The Secret Selector (k8s source) for the Push Secret
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretSelector {
    /// Point to a generator to create a Secret.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "generatorRef")]
    pub generator_ref: Option<PushSecretSelectorGeneratorRef>,
    /// Select a Secret to Push.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub secret: Option<PushSecretSelectorSecret>,
}

/// Point to a generator to create a Secret.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct PushSecretSelectorGeneratorRef {
    /// Specify the apiVersion of the generator resource
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiVersion")]
    pub api_version: Option<String>,
    /// Specify the Kind of the generator resource
    pub kind: PushSecretSelectorGeneratorRefKind,
    /// Specify the name of the generator resource
    pub name: String,
}

/// Point to a generator to create a Secret.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum PushSecretSelectorGeneratorRefKind {
    #[serde(rename = "ACRAccessToken")]
    AcrAccessToken,
    ClusterGenerator,
    CloudsmithAccessToken,
    #[serde(rename = "ECRAuthorizationToken")]
    EcrAuthorizationToken,
    Fake,
    #[serde(rename = "GCRAccessToken")]
    GcrAccessToken,
    GithubAccessToken,
    QuayAccessToken,
    Password,
    #[serde(rename = "SSHKey")]
    SshKey,
    #[serde(rename = "STSSessionToken")]
    StsSessionToken,
    #[serde(rename = "UUID")]
    Uuid,
    VaultDynamicSecret,
    Webhook,
    Grafana,
    #[serde(rename = "MFA")]
    Mfa,
}

/// Select a Secret to Push.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretSelectorSecret {
    /// Name of the Secret.
    /// The Secret must exist in the same namespace as the PushSecret manifest.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// Selector chooses secrets using a labelSelector.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub selector: Option<PushSecretSelectorSecretSelector>,
}

/// Selector chooses secrets using a labelSelector.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretSelectorSecretSelector {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
    pub match_expressions: Option<Vec<PushSecretSelectorSecretSelectorMatchExpressions>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
    pub match_labels: Option<BTreeMap<String, String>>,
}

/// A label selector requirement is a selector that contains values, a key, and an operator that
/// relates the key and values.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretSelectorSecretSelectorMatchExpressions {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values.
    /// Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: String,
    /// values is an array of string values. If the operator is In or NotIn,
    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
    /// the values array must be empty. This array is replaced during a strategic
    /// merge patch.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub values: Option<Vec<String>>,
}

/// Template defines a blueprint for the created Secret resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretTemplate {
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub data: Option<BTreeMap<String, String>>,
    /// EngineVersion specifies the template engine version
    /// that should be used to compile/execute the
    /// template specified in .data and .templateFrom[].
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "engineVersion")]
    pub engine_version: Option<PushSecretTemplateEngineVersion>,
    /// TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mergePolicy")]
    pub merge_policy: Option<PushSecretTemplateMergePolicy>,
    /// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub metadata: Option<PushSecretTemplateMetadata>,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "templateFrom")]
    pub template_from: Option<Vec<PushSecretTemplateTemplateFrom>>,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
    pub r#type: Option<String>,
}

/// Template defines a blueprint for the created Secret resource.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum PushSecretTemplateEngineVersion {
    #[serde(rename = "v2")]
    V2,
}

/// Template defines a blueprint for the created Secret resource.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum PushSecretTemplateMergePolicy {
    Replace,
    Merge,
}

/// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretTemplateMetadata {
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub annotations: Option<BTreeMap<String, String>>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub finalizers: Option<Vec<String>>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub labels: Option<BTreeMap<String, String>>,
}

/// TemplateFrom specifies a source for templates.
/// Each item in the list can either reference a ConfigMap or a Secret resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretTemplateTemplateFrom {
    /// TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "configMap")]
    pub config_map: Option<PushSecretTemplateTemplateFromConfigMap>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub literal: Option<String>,
    /// TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub secret: Option<PushSecretTemplateTemplateFromSecret>,
    /// Target specifies where to place the template result.
    /// For Secret resources, common values are: "Data", "Annotations", "Labels".
    /// For custom resources (when spec.target.manifest is set), this supports
    /// nested paths like "spec.database.config" or "data".
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub target: Option<String>,
}

/// TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretTemplateTemplateFromConfigMap {
    /// A list of keys in the ConfigMap/Secret to use as templates for Secret data
    pub items: Vec<PushSecretTemplateTemplateFromConfigMapItems>,
    /// The name of the ConfigMap/Secret resource
    pub name: String,
}

/// TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretTemplateTemplateFromConfigMapItems {
    /// A key in the ConfigMap/Secret
    pub key: String,
    /// TemplateScope specifies how the template keys should be interpreted.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "templateAs")]
    pub template_as: Option<PushSecretTemplateTemplateFromConfigMapItemsTemplateAs>,
}

/// TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum PushSecretTemplateTemplateFromConfigMapItemsTemplateAs {
    Values,
    KeysAndValues,
}

/// TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretTemplateTemplateFromSecret {
    /// A list of keys in the ConfigMap/Secret to use as templates for Secret data
    pub items: Vec<PushSecretTemplateTemplateFromSecretItems>,
    /// The name of the ConfigMap/Secret resource
    pub name: String,
}

/// TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretTemplateTemplateFromSecretItems {
    /// A key in the ConfigMap/Secret
    pub key: String,
    /// TemplateScope specifies how the template keys should be interpreted.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "templateAs")]
    pub template_as: Option<PushSecretTemplateTemplateFromSecretItemsTemplateAs>,
}

/// TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum PushSecretTemplateTemplateFromSecretItemsTemplateAs {
    Values,
    KeysAndValues,
}

/// PushSecretSpec configures the behavior of the PushSecret.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum PushSecretUpdatePolicy {
    Replace,
    IfNotExists,
}

/// PushSecretStatus indicates the history of the status of PushSecret.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretStatus {
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub conditions: Option<Vec<Condition>>,
    /// refreshTime is the time and date the external secret was fetched and
    /// the target secret updated
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "refreshTime")]
    pub refresh_time: Option<String>,
    /// Synced PushSecrets, including secrets that already exist in provider.
    /// Matches secret stores to PushSecretData that was stored to that secret store.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "syncedPushSecrets")]
    pub synced_push_secrets: Option<BTreeMap<String, BTreeMap<String, PushSecretStatusSyncedPushSecrets>>>,
    /// SyncedResourceVersion keeps track of the last synced version.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "syncedResourceVersion")]
    pub synced_resource_version: Option<String>,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretStatusSyncedPushSecrets {
    /// Used to define a conversion Strategy for the secret keys
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "conversionStrategy")]
    pub conversion_strategy: Option<PushSecretStatusSyncedPushSecretsConversionStrategy>,
    /// Match a given Secret Key to be pushed to the provider.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "match")]
    pub r#match: Option<PushSecretStatusSyncedPushSecretsMatch>,
    /// Metadata is metadata attached to the secret.
    /// The structure of metadata is provider specific, please look it up in the provider documentation.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub metadata: Option<serde_json::Value>,
}

#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum PushSecretStatusSyncedPushSecretsConversionStrategy {
    None,
    ReverseUnicode,
}

/// Match a given Secret Key to be pushed to the provider.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretStatusSyncedPushSecretsMatch {
    /// Remote Refs to push to providers.
    #[serde(rename = "remoteRef")]
    pub remote_ref: PushSecretStatusSyncedPushSecretsMatchRemoteRef,
    /// Secret Key to be pushed
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretKey")]
    pub secret_key: Option<String>,
}

/// Remote Refs to push to providers.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct PushSecretStatusSyncedPushSecretsMatchRemoteRef {
    /// Name of the property in the resulting secret
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub property: Option<String>,
    /// Name of the resulting provider secret.
    #[serde(rename = "remoteKey")]
    pub remote_key: String,
}