crd.yaml

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: externalsecrets.kubernetes-client.io
spec:
  group: kubernetes-client.io
  version: v1
  scope: Namespaced

  names:
    shortNames:
    - es
    kind: ExternalSecret
    plural: externalsecrets
    singular: externalsecret

  additionalPrinterColumns:
  - JSONPath: .status.lastSync
    name: Last Sync
    type: date
  - JSONPath: .status.status
    name: status
    type: string
  - JSONPath: .metadata.creationTimestamp
    name: Age
    type: date

  validation:
    openAPIV3Schema:
      properties:
        spec:
          type: object
          properties:
            template:
              description: Template which will be deep merged without mutating
                any existing fields. into generated secret, can be used to
                set for example annotations or type on the generated secret
              type: object
            backendType:
              type: string
              enum:
                - secretsManager
                - systemManager
                - vault
                - azureKeyVault
                - gcpSecretsManager
            vaultRole:
              type: string
            vaultMountPoint:
              type: string
            keyVaultName:
              type: string
            key:
              type: string
            dataFrom:
              type: array
              items:
                type: string
            data:
              type: array
              items:
                type: object
                properties:
                  key:
                    description: Secret key in backend
                    type: string
                  name:
                    description: Name set for this key in the generated secret
                    type: string
                  property:
                    description: Property to extract if secret in backend is a JSON object
                  isBinary:
                    description: >-
                      You must set this to true if configuring an item for a binary file stored in Azure KeyVault.
                      Azure automatically base64 encodes binary files and setting this to true ensures External Secrets
                      does not base64 encode the base64 encoded binary files.
                    type: boolean
                required:
                  - name
                  - key
            roleArn:
              type: string
          oneOf:
            - properties:
                backendType:
                  enum:
                    - secretsManager
                    - systemManager
            - properties:
                backendType:
                  enum:
                    - vault
              required:
                - vaultRole
                - vaultMountPoint
            - properties:
                backendType:
                  enum:
                    - azureKeyVault
              required:
                - keyVaultName
            - properties:
                backendType:
                  enum:
                    - gcpSecretsManager
          anyOf:
            - required:
              - data
            - required:
              - dataFrom

  subresources:
    status: {}