Add secret-sync.gke.io/secretsync_v1 (#777)

Author: miono

secret-sync.gke.io/secretsync_v1.json

@@ -0,0 +1,215 @@
+{
+  "description": "SecretSync represents the desired and observed state of the secret synchronization process.\nThe SecretSync name is used as the name of the secret object created by the controller.",
+  "properties": {
+    "apiVersion": {
+      "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+      "type": "string"
+    },
+    "kind": {
+      "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+      "type": "string"
+    },
+    "metadata": {
+      "type": "object"
+    },
+    "spec": {
+      "description": "SecretSyncSpec defines the desired state for synchronizing secret.",
+      "properties": {
+        "forceSynchronization": {
+          "description": "forceSynchronization can be used to force the secret synchronization. The secret synchronization is\ntriggered by changing the value in this field.\nThis field is not used to resolve synchronization conflicts.\nIt is not related with the force query parameter in the Apply operation.\nhttps://kubernetes.io/docs/reference/using-api/server-side-apply/#conflicts",
+          "maxLength": 253,
+          "pattern": "^[A-Za-z0-9]([-A-Za-z0-9]+([-._a-zA-Z0-9]?[A-Za-z0-9])*)?",
+          "type": "string"
+        },
+        "secretObject": {
+          "description": "secretObject specifies the configuration for the synchronized Kubernetes secret object.",
+          "properties": {
+            "annotations": {
+              "additionalProperties": {
+                "type": "string"
+              },
+              "description": "annotations contains key-value pairs representing annotations associated with the Kubernetes secret object.\nThe following annotation prefix is reserved: secrets-store.sync.x-k8s.io/.\nCreation fails if the annotation key is specified in the SecretSync object by the user.",
+              "type": "object",
+              "x-kubernetes-validations": [
+                {
+                  "message": "Annotations should have < 253 characters for both keys and values.",
+                  "rule": "(self.all(x, x.size() < 253 && self[x].size() < 253) == true)"
+                },
+                {
+                  "message": "Annotations should not contain secrets-store.sync.x-k8s.io. This key is reserved for the controller.",
+                  "rule": "(self.all(x, x.startsWith('secrets-store.sync.x-k8s.io') == false))"
+                }
+              ]
+            },
+            "data": {
+              "description": "data is a list of SecretObjectData containing secret data source from the Secret Provider Class and the\ncorresponding data field key used in the Kubernetes secret object.",
+              "items": {
+                "description": "SecretObjectData defines the desired state of synchronized data within a Kubernetes secret object.",
+                "properties": {
+                  "sourcePath": {
+                    "description": "sourcePath is the data source value of the secret defined in the Secret Provider Class.\nThis matches the path of a file in the MountResponse returned from the provider.",
+                    "maxLength": 253,
+                    "minLength": 1,
+                    "pattern": "^[A-Za-z0-9.]([-A-Za-z0-9]+([-._a-zA-Z0-9]?[A-Za-z0-9])*)?(\\/([0-9]+))*$",
+                    "type": "string"
+                  },
+                  "targetKey": {
+                    "description": "targetKey is the key in the Kubernetes secret's data field as described in the Kubernetes API reference:\nhttps://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/",
+                    "maxLength": 253,
+                    "minLength": 1,
+                    "pattern": "^[A-Za-z0-9.]([-A-Za-z0-9]+([-._a-zA-Z0-9]?[A-Za-z0-9])*)?(\\/([0-9]+))*$",
+                    "type": "string"
+                  }
+                },
+                "required": [
+                  "sourcePath",
+                  "targetKey"
+                ],
+                "type": "object",
+                "additionalProperties": false
+              },
+              "minItems": 1,
+              "type": "array",
+              "x-kubernetes-list-map-keys": [
+                "targetKey"
+              ],
+              "x-kubernetes-list-type": "map"
+            },
+            "labels": {
+              "additionalProperties": {
+                "type": "string"
+              },
+              "description": "labels contains key-value pairs representing labels associated with the Kubernetes secret object.\nThe labels are used to identify the secret object created by the controller.\nOn secret creation, the following label is added: secrets-store.sync.x-k8s.io/secretsync=<secret-sync-name>.\nThe following label prefix is reserved: secrets-store.sync.x-k8s.io/.\nCreation fails if the label is specified in the SecretSync object with a different value.\nOn secret update, if the validation admission policy is set, the controller will check if the label\nsecrets-store.sync.x-k8s.io/secretsync=<secret-sync-name> is present. If the label is not present,\ncontroller fails to update the secret.",
+              "type": "object",
+              "x-kubernetes-validations": [
+                {
+                  "message": "Labels should have < 63 characters for both keys and values.",
+                  "rule": "(self.all(x, x.size() < 63 && self[x].size() < 63) == true)"
+                },
+                {
+                  "message": "Labels should not contain secrets-store.sync.x-k8s.io. This key is reserved for the controller.",
+                  "rule": "(self.all(x, x.startsWith('secrets-store.sync.x-k8s.io') == false))"
+                }
+              ]
+            },
+            "type": {
+              "description": "type specifies the type of the Kubernetes secret object,\ne.g. \"Opaque\";\"kubernetes.io/basic-auth\";\"kubernetes.io/ssh-auth\";\"kubernetes.io/tls\"\nThe controller must have permission to create secrets of the specified type.",
+              "maxLength": 253,
+              "minLength": 1,
+              "type": "string"
+            }
+          },
+          "required": [
+            "data",
+            "type"
+          ],
+          "type": "object",
+          "additionalProperties": false
+        },
+        "secretProviderClassName": {
+          "description": "secretProviderClassName specifies the name of the secret provider class used to pass information to\naccess the secret store.",
+          "maxLength": 253,
+          "minLength": 1,
+          "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$",
+          "type": "string"
+        },
+        "secretSyncControllerName": {
+          "default": "",
+          "description": "secretSyncControllerName specifies the name of the secrets store sync controller used to synchronize\nthe secret.",
+          "type": "string"
+        },
+        "serviceAccountName": {
+          "description": "serviceAccountName specifies the name of the service account used to access the secret store.\nThe audience field in the service account token must be passed as parameter in the controller configuration.\nThe audience is used when requesting a token from the API server for the service account; the supported\naudiences are defined by each provider.",
+          "maxLength": 253,
+          "minLength": 1,
+          "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$",
+          "type": "string"
+        }
+      },
+      "required": [
+        "secretObject",
+        "secretProviderClassName",
+        "serviceAccountName"
+      ],
+      "type": "object",
+      "additionalProperties": false
+    },
+    "status": {
+      "description": "SecretSyncStatus defines the observed state of the secret synchronization process.",
+      "properties": {
+        "conditions": {
+          "items": {
+            "description": "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions.  For example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the observations of a foo's current state.\n\t    // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    // +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t    // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t    // other fields\n\t}",
+            "properties": {
+              "lastTransitionTime": {
+                "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
+                "format": "date-time",
+                "type": "string"
+              },
+              "message": {
+                "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.",
+                "maxLength": 32768,
+                "type": "string"
+              },
+              "observedGeneration": {
+                "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.",
+                "format": "int64",
+                "minimum": 0,
+                "type": "integer"
+              },
+              "reason": {
+                "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.",
+                "maxLength": 1024,
+                "minLength": 1,
+                "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
+                "type": "string"
+              },
+              "status": {
+                "description": "status of the condition, one of True, False, Unknown.",
+                "enum": [
+                  "True",
+                  "False",
+                  "Unknown"
+                ],
+                "type": "string"
+              },
+              "type": {
+                "description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
+                "maxLength": 316,
+                "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
+                "type": "string"
+              }
+            },
+            "required": [
+              "lastTransitionTime",
+              "message",
+              "reason",
+              "status",
+              "type"
+            ],
+            "type": "object",
+            "additionalProperties": false
+          },
+          "maxItems": 16,
+          "type": "array",
+          "x-kubernetes-list-map-keys": [
+            "type"
+          ],
+          "x-kubernetes-list-type": "map"
+        },
+        "lastSuccessfulSyncTime": {
+          "description": "lastSuccessfulSyncTime represents the last time the secret was retrieved from the Provider and updated.",
+          "format": "date-time",
+          "type": "string"
+        },
+        "syncHash": {
+          "description": "syncHash contains the hash of the secret object data, data from the SecretProviderClass (e.g. UID,\nand metadata.generation), and similar data from the SecretSync. This hash is used to\ndetermine if the secret changed.\nThe hash is calculated using the HMAC (Hash-based Message Authentication Code) algorithm, using bcrypt\nhashing, with the SecretsSync's UID as the key.\nThe secret is updated if:\n\t\t1. the hash is different\n\t\t2. the lastSuccessfulSyncTime indicates a rotation is required\n\t\t\t- the rotation poll interval is passed as a parameter in the controller configuration\n\t\t3. the SecretUpdateStatus is 'Failed'",
+          "type": "string"
+        }
+      },
+      "type": "object",
+      "additionalProperties": false
+    }
+  },
+  "type": "object"
+}