fix(vault): Add vault support to monitoring cluster
This commit is contained in:
parent
92831a5130
commit
4fcea19d40
|
@ -0,0 +1,6 @@
|
|||
dependencies:
|
||||
- name: vault-secrets-operator
|
||||
repository: https://helm.releases.hashicorp.com
|
||||
version: 0.3.4
|
||||
digest: sha256:31a1abfdb72e2bbda888425b359389c93ae44e9f614e28e227181e69a0af08a7
|
||||
generated: "2023-11-06T08:00:20.832546+01:00"
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v2
|
||||
name: vault-secrets-operator
|
||||
version: 0.1.0
|
||||
type: application
|
||||
description: "Installs the authentication to communicate with HCP secrets"
|
||||
dependencies:
|
||||
- name: vault-secrets-operator
|
||||
version: 0.3.4
|
||||
repository: https://helm.releases.hashicorp.com
|
|
@ -0,0 +1,4 @@
|
|||
organizationId: "2015ed6d-3c84-48d5-9aca-99b0034b8b5a"
|
||||
projectId: "21153839-1630-4f55-9803-0220e3af458d"
|
||||
allowedNamespaces:
|
||||
- name: hcloud
|
|
@ -0,0 +1,73 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "template.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "template.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "template.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "template.labels" -}}
|
||||
helm.sh/chart: {{ include "template.chart" . }}
|
||||
{{ include "template.selectorLabels" . }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "template.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "template.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "template.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "template.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- /*
|
||||
template.util.merge will merge two YAML templates and output the result.
|
||||
This takes an array of three values:
|
||||
- the top context
|
||||
- the template name of the overrides (destination)
|
||||
- the template name of the base (source)
|
||||
*/}}
|
||||
{{- define "template.util.merge" -}}
|
||||
{{- $top := first . -}}
|
||||
{{- $overrides := fromYaml (include (index . 1) $top) | default (dict ) -}}
|
||||
{{- $tpl := fromYaml (include (index . 2) $top) | default (dict ) -}}
|
||||
{{- toYaml (merge $overrides $tpl) -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: HCPAuth
|
||||
metadata:
|
||||
name: hcp-auth
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "template.labels" . | nindent 4 }}
|
||||
spec:
|
||||
organizationID: {{ .Values.organizationId }}
|
||||
projectID: {{ .Values.projectId }}
|
||||
allowedNamespaces:
|
||||
- {{ .Release.Namespace }}
|
||||
{{- range .Values.allowedNamespaces }}
|
||||
- {{ .name }}
|
||||
{{- end }}
|
||||
servicePrincipal:
|
||||
secretRef: vault-service-principal
|
|
@ -0,0 +1,3 @@
|
|||
organizationId: ""
|
||||
projectId: ""
|
||||
allowedNamespaces: []
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: v2
|
||||
name: vso-crds
|
||||
description: CRDs for the vault-secrets-operator
|
||||
type: application
|
||||
version: 0.1.0
|
|
@ -0,0 +1,100 @@
|
|||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: BUSL-1.1
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: hcpauths.secrets.hashicorp.com
|
||||
spec:
|
||||
group: secrets.hashicorp.com
|
||||
names:
|
||||
kind: HCPAuth
|
||||
listKind: HCPAuthList
|
||||
plural: hcpauths
|
||||
singular: hcpauth
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: HCPAuth is the Schema for the hcpauths API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: HCPAuthSpec defines the desired state of HCPAuth
|
||||
properties:
|
||||
allowedNamespaces:
|
||||
description: 'AllowedNamespaces Kubernetes Namespaces which are allow-listed
|
||||
for use with this AuthMethod. This field allows administrators to
|
||||
customize which Kubernetes namespaces are authorized to use with
|
||||
this AuthMethod. While Vault will still enforce its own rules, this
|
||||
has the added configurability of restricting which HCPAuthMethods
|
||||
can be used by which namespaces. Accepted values: []{"*"} - wildcard,
|
||||
all namespaces. []{"a", "b"} - list of namespaces. unset - disallow
|
||||
all namespaces except the Operator''s the HCPAuthMethod''s namespace,
|
||||
this is the default behavior.'
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
method:
|
||||
default: servicePrincipal
|
||||
description: Method to use when authenticating to Vault.
|
||||
enum:
|
||||
- servicePrincipal
|
||||
type: string
|
||||
organizationID:
|
||||
description: OrganizationID of the HCP organization.
|
||||
type: string
|
||||
projectID:
|
||||
description: ProjectID of the HCP project.
|
||||
type: string
|
||||
servicePrincipal:
|
||||
description: ServicePrincipal provides the necessary configuration
|
||||
for authenticating to HCP using a service principal. For security
|
||||
reasons, only project-level service principals should ever be used.
|
||||
properties:
|
||||
secretRef:
|
||||
description: 'SecretRef is the name of a Kubernetes secret in
|
||||
the consumer''s (VDS/VSS/PKI/HCP) namespace which provides the
|
||||
HCP ServicePrincipal clientID, and clientSecret. The secret
|
||||
data must have the following structure { "clientID": "clientID",
|
||||
"clientSecret": "clientSecret", }'
|
||||
type: string
|
||||
required:
|
||||
- secretRef
|
||||
type: object
|
||||
required:
|
||||
- organizationID
|
||||
- projectID
|
||||
type: object
|
||||
status:
|
||||
description: HCPAuthStatus defines the observed state of HCPAuth
|
||||
properties:
|
||||
error:
|
||||
type: string
|
||||
valid:
|
||||
description: Valid auth mechanism.
|
||||
type: boolean
|
||||
required:
|
||||
- error
|
||||
- valid
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
|
@ -0,0 +1,140 @@
|
|||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: BUSL-1.1
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: hcpvaultsecretsapps.secrets.hashicorp.com
|
||||
spec:
|
||||
group: secrets.hashicorp.com
|
||||
names:
|
||||
kind: HCPVaultSecretsApp
|
||||
listKind: HCPVaultSecretsAppList
|
||||
plural: hcpvaultsecretsapps
|
||||
singular: hcpvaultsecretsapp
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: HCPVaultSecretsApp is the Schema for the hcpvaultsecretsapps
|
||||
API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: HCPVaultSecretsAppSpec defines the desired state of HCPVaultSecretsApp
|
||||
properties:
|
||||
appName:
|
||||
description: AppName of the Vault Secrets Application that is to be
|
||||
synced.
|
||||
type: string
|
||||
destination:
|
||||
description: Destination provides configuration necessary for syncing
|
||||
the HCP Vault Application secrets to Kubernetes.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations to apply to the Secret. Requires Create
|
||||
to be set to true.
|
||||
type: object
|
||||
create:
|
||||
description: Create the destination Secret. If the Secret already
|
||||
exists this should be set to false.
|
||||
type: boolean
|
||||
labels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Labels to apply to the Secret. Requires Create to
|
||||
be set to true.
|
||||
type: object
|
||||
name:
|
||||
description: Name of the Secret
|
||||
type: string
|
||||
type:
|
||||
description: Type of Kubernetes Secret. Requires Create to be
|
||||
set to true. Defaults to Opaque.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
hcpAuthRef:
|
||||
description: 'HCPAuthRef to the HCPAuth resource, can be prefixed
|
||||
with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace
|
||||
prefix is provided it will default to the namespace of the HCPAuth
|
||||
CR. If no value is specified for HCPAuthRef the Operator will default
|
||||
to the `default` HCPAuth, configured in its own Kubernetes namespace.
|
||||
HCPAuthRef string `json:"hcpAuthRef,omitempty"`'
|
||||
type: string
|
||||
refreshAfter:
|
||||
default: 600s
|
||||
description: RefreshAfter a period of time, in duration notation e.g.
|
||||
30s, 1m, 24h
|
||||
pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$
|
||||
type: string
|
||||
rolloutRestartTargets:
|
||||
description: RolloutRestartTargets should be configured whenever the
|
||||
application(s) consuming the HCP Vault Secrets App does not support
|
||||
dynamically reloading a rotated secret. In that case one, or more
|
||||
RolloutRestartTarget(s) can be configured here. The Operator will
|
||||
trigger a "rollout-restart" for each target whenever the Vault secret
|
||||
changes between reconciliation events. See RolloutRestartTarget
|
||||
for more details.
|
||||
items:
|
||||
description: "RolloutRestartTarget provides the configuration required
|
||||
to perform a rollout-restart of the supported resources upon Vault
|
||||
Secret rotation. The rollout-restart is triggered by patching
|
||||
the target resource's 'spec.template.metadata.annotations' to
|
||||
include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp
|
||||
value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt:
|
||||
\"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet,
|
||||
StatefulSet"
|
||||
properties:
|
||||
kind:
|
||||
enum:
|
||||
- Deployment
|
||||
- DaemonSet
|
||||
- StatefulSet
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
required:
|
||||
- appName
|
||||
- destination
|
||||
type: object
|
||||
status:
|
||||
description: HCPVaultSecretsAppStatus defines the observed state of HCPVaultSecretsApp
|
||||
properties:
|
||||
secretMAC:
|
||||
description: "SecretMAC used when deciding whether new Vault secret
|
||||
data should be synced. \n The controller will compare the \"new\"
|
||||
HCP Vault Secrets App data to this value using HMAC, if they are
|
||||
different, then the data will be synced to the Destination. \n The
|
||||
SecretMac is also used to detect drift in the Destination Secret's
|
||||
Data. If drift is detected the data will be synced to the Destination."
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
|
@ -0,0 +1,243 @@
|
|||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: BUSL-1.1
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: vaultauths.secrets.hashicorp.com
|
||||
spec:
|
||||
group: secrets.hashicorp.com
|
||||
names:
|
||||
kind: VaultAuth
|
||||
listKind: VaultAuthList
|
||||
plural: vaultauths
|
||||
singular: vaultauth
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: VaultAuth is the Schema for the vaultauths API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: VaultAuthSpec defines the desired state of VaultAuth
|
||||
properties:
|
||||
allowedNamespaces:
|
||||
description: 'AllowedNamespaces Kubernetes Namespaces which are allow-listed
|
||||
for use with this AuthMethod. This field allows administrators to
|
||||
customize which Kubernetes namespaces are authorized to use with
|
||||
this AuthMethod. While Vault will still enforce its own rules, this
|
||||
has the added configurability of restricting which VaultAuthMethods
|
||||
can be used by which namespaces. Accepted values: []{"*"} - wildcard,
|
||||
all namespaces. []{"a", "b"} - list of namespaces. unset - disallow
|
||||
all namespaces except the Operator''s the VaultAuthMethod''s namespace,
|
||||
this is the default behavior.'
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
appRole:
|
||||
description: AppRole specific auth configuration, requires that the
|
||||
Method be set to `appRole`.
|
||||
properties:
|
||||
roleId:
|
||||
description: RoleID of the AppRole Role to use for authenticating
|
||||
to Vault.
|
||||
type: string
|
||||
secretRef:
|
||||
description: SecretRef is the name of a Kubernetes secret in the
|
||||
consumer's (VDS/VSS/PKI) namespace which provides the AppRole
|
||||
Role's SecretID. The secret must have a key named `id` which
|
||||
holds the AppRole Role's secretID.
|
||||
type: string
|
||||
required:
|
||||
- roleId
|
||||
- secretRef
|
||||
type: object
|
||||
aws:
|
||||
description: AWS specific auth configuration, requires that Method
|
||||
be set to `aws`.
|
||||
properties:
|
||||
headerValue:
|
||||
description: The Vault header value to include in the STS signing
|
||||
request
|
||||
type: string
|
||||
iamEndpoint:
|
||||
description: The IAM endpoint to use; if not set will use the
|
||||
default
|
||||
type: string
|
||||
irsaServiceAccount:
|
||||
description: 'IRSAServiceAccount name to use with IAM Roles for
|
||||
Service Accounts (IRSA), and should be annotated with "eks.amazonaws.com/role-arn".
|
||||
This ServiceAccount will be checked for other EKS annotations:
|
||||
eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration'
|
||||
type: string
|
||||
region:
|
||||
description: AWS Region to use for signing the authentication
|
||||
request
|
||||
type: string
|
||||
role:
|
||||
description: Vault role to use for authenticating
|
||||
type: string
|
||||
secretRef:
|
||||
description: SecretRef is the name of a Kubernetes Secret which
|
||||
holds credentials for AWS. Expected keys include `access_key_id`,
|
||||
`secret_access_key`, `session_token`
|
||||
type: string
|
||||
sessionName:
|
||||
description: The role session name to use when creating a webidentity
|
||||
provider
|
||||
type: string
|
||||
stsEndpoint:
|
||||
description: The STS endpoint to use; if not set will use the
|
||||
default
|
||||
type: string
|
||||
required:
|
||||
- role
|
||||
type: object
|
||||
headers:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Headers to be included in all Vault requests.
|
||||
type: object
|
||||
jwt:
|
||||
description: JWT specific auth configuration, requires that the Method
|
||||
be set to `jwt`.
|
||||
properties:
|
||||
audiences:
|
||||
description: TokenAudiences to include in the ServiceAccount token.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
role:
|
||||
description: Role to use for authenticating to Vault.
|
||||
type: string
|
||||
secretRef:
|
||||
description: SecretRef is the name of a Kubernetes secret in the
|
||||
consumer's (VDS/VSS/PKI) namespace which provides the JWT token
|
||||
to authenticate to Vault's JWT authentication backend. The secret
|
||||
must have a key named `jwt` which holds the JWT token.
|
||||
type: string
|
||||
serviceAccount:
|
||||
description: ServiceAccount to use when creating a ServiceAccount
|
||||
token to authenticate to Vault's JWT authentication backend.
|
||||
type: string
|
||||
tokenExpirationSeconds:
|
||||
default: 600
|
||||
description: TokenExpirationSeconds to set the ServiceAccount
|
||||
token.
|
||||
format: int64
|
||||
minimum: 600
|
||||
type: integer
|
||||
required:
|
||||
- role
|
||||
type: object
|
||||
kubernetes:
|
||||
description: Kubernetes specific auth configuration, requires that
|
||||
the Method be set to `kubernetes`.
|
||||
properties:
|
||||
audiences:
|
||||
description: TokenAudiences to include in the ServiceAccount token.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
role:
|
||||
description: Role to use for authenticating to Vault.
|
||||
type: string
|
||||
serviceAccount:
|
||||
description: ServiceAccount to use when authenticating to Vault's
|
||||
kubernetes authentication backend.
|
||||
type: string
|
||||
tokenExpirationSeconds:
|
||||
default: 600
|
||||
description: TokenExpirationSeconds to set the ServiceAccount
|
||||
token.
|
||||
format: int64
|
||||
minimum: 600
|
||||
type: integer
|
||||
required:
|
||||
- role
|
||||
- serviceAccount
|
||||
type: object
|
||||
method:
|
||||
description: Method to use when authenticating to Vault.
|
||||
enum:
|
||||
- kubernetes
|
||||
- jwt
|
||||
- appRole
|
||||
- aws
|
||||
type: string
|
||||
mount:
|
||||
description: Mount to use when authenticating to auth method.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace to auth to in Vault
|
||||
type: string
|
||||
params:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Params to use when authenticating to Vault
|
||||
type: object
|
||||
storageEncryption:
|
||||
description: 'StorageEncryption provides the necessary configuration
|
||||
to encrypt the client storage cache. This should only be configured
|
||||
when client cache persistence with encryption is enabled. This is
|
||||
done by passing setting the manager''s commandline argument --client-cache-persistence-model=direct-encrypted.
|
||||
Typically, there should only ever be one VaultAuth configured with
|
||||
StorageEncryption in the Cluster, and it should have the label:
|
||||
cacheStorageEncryption=true'
|
||||
properties:
|
||||
keyName:
|
||||
description: KeyName to use for encrypt/decrypt operations via
|
||||
Vault Transit.
|
||||
type: string
|
||||
mount:
|
||||
description: Mount path of the Transit engine in Vault.
|
||||
type: string
|
||||
required:
|
||||
- keyName
|
||||
- mount
|
||||
type: object
|
||||
vaultConnectionRef:
|
||||
description: "VaultConnectionRef to the VaultConnection resource,
|
||||
can be prefixed with a namespace, eg: `namespaceA/vaultConnectionRefB`.
|
||||
If no namespace prefix is provided it will default to namespace
|
||||
of the VaultConnection CR. If no value is specified for VaultConnectionRef
|
||||
the Operator will default to\t`default` VaultConnection, configured
|
||||
in its own Kubernetes namespace."
|
||||
type: string
|
||||
required:
|
||||
- method
|
||||
- mount
|
||||
type: object
|
||||
status:
|
||||
description: VaultAuthStatus defines the observed state of VaultAuth
|
||||
properties:
|
||||
error:
|
||||
type: string
|
||||
valid:
|
||||
description: Valid auth mechanism.
|
||||
type: boolean
|
||||
required:
|
||||
- error
|
||||
- valid
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
|
@ -0,0 +1,74 @@
|
|||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: BUSL-1.1
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: vaultconnections.secrets.hashicorp.com
|
||||
spec:
|
||||
group: secrets.hashicorp.com
|
||||
names:
|
||||
kind: VaultConnection
|
||||
listKind: VaultConnectionList
|
||||
plural: vaultconnections
|
||||
singular: vaultconnection
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: VaultConnection is the Schema for the vaultconnections API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: VaultConnectionSpec defines the desired state of VaultConnection
|
||||
properties:
|
||||
address:
|
||||
description: Address of the Vault server
|
||||
type: string
|
||||
caCertSecretRef:
|
||||
description: CACertSecretRef is the name of a Kubernetes secret containing
|
||||
the trusted PEM encoded CA certificate chain as `ca.crt`.
|
||||
type: string
|
||||
headers:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Headers to be included in all Vault requests.
|
||||
type: object
|
||||
skipTLSVerify:
|
||||
description: SkipTLSVerify for TLS connections.
|
||||
type: boolean
|
||||
tlsServerName:
|
||||
description: TLSServerName to use as the SNI host for TLS connections.
|
||||
type: string
|
||||
required:
|
||||
- address
|
||||
type: object
|
||||
status:
|
||||
description: VaultConnectionStatus defines the observed state of VaultConnection
|
||||
properties:
|
||||
valid:
|
||||
description: Valid auth mechanism.
|
||||
type: boolean
|
||||
required:
|
||||
- valid
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
|
@ -0,0 +1,253 @@
|
|||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: BUSL-1.1
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: vaultdynamicsecrets.secrets.hashicorp.com
|
||||
spec:
|
||||
group: secrets.hashicorp.com
|
||||
names:
|
||||
kind: VaultDynamicSecret
|
||||
listKind: VaultDynamicSecretList
|
||||
plural: vaultdynamicsecrets
|
||||
singular: vaultdynamicsecret
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: VaultDynamicSecret is the Schema for the vaultdynamicsecrets
|
||||
API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: VaultDynamicSecretSpec defines the desired state of VaultDynamicSecret
|
||||
properties:
|
||||
allowStaticCreds:
|
||||
description: AllowStaticCreds should be set when syncing credentials
|
||||
that are periodically rotated by the Vault server, rather than created
|
||||
upon request. These secrets are sometimes referred to as "static
|
||||
roles", or "static credentials", with a request path that contains
|
||||
"static-creds".
|
||||
type: boolean
|
||||
destination:
|
||||
description: Destination provides configuration necessary for syncing
|
||||
the Vault secret to Kubernetes.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations to apply to the Secret. Requires Create
|
||||
to be set to true.
|
||||
type: object
|
||||
create:
|
||||
description: Create the destination Secret. If the Secret already
|
||||
exists this should be set to false.
|
||||
type: boolean
|
||||
labels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Labels to apply to the Secret. Requires Create to
|
||||
be set to true.
|
||||
type: object
|
||||
name:
|
||||
description: Name of the Secret
|
||||
type: string
|
||||
type:
|
||||
description: Type of Kubernetes Secret. Requires Create to be
|
||||
set to true. Defaults to Opaque.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
mount:
|
||||
description: Mount path of the secret's engine in Vault.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace where the secrets engine is mounted in Vault.
|
||||
type: string
|
||||
params:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Params that can be passed when requesting credentials/secrets.
|
||||
When Params is set the configured RequestHTTPMethod will be ignored.
|
||||
See RequestHTTPMethod for more details. Please consult https://developer.hashicorp.com/vault/docs/secrets
|
||||
if you are uncertain about what 'params' should/can be set to.
|
||||
type: object
|
||||
path:
|
||||
description: Path in Vault to get the credentials for, and is relative
|
||||
to Mount. Please consult https://developer.hashicorp.com/vault/docs/secrets
|
||||
if you are uncertain about what 'path' should be set to.
|
||||
type: string
|
||||
renewalPercent:
|
||||
default: 67
|
||||
description: RenewalPercent is the percent out of 100 of the lease
|
||||
duration when the lease is renewed. Defaults to 67 percent plus
|
||||
jitter.
|
||||
maximum: 90
|
||||
minimum: 0
|
||||
type: integer
|
||||
requestHTTPMethod:
|
||||
description: RequestHTTPMethod to use when syncing Secrets from Vault.
|
||||
Setting a value here is not typically required. If left unset the
|
||||
Operator will make requests using the GET method. In the case where
|
||||
Params are specified the Operator will use the PUT method. Please
|
||||
consult https://developer.hashicorp.com/vault/docs/secrets if you
|
||||
are uncertain about what method to use. Of note, the Vault client
|
||||
treats PUT and POST as being equivalent. The underlying Vault client
|
||||
implementation will always use the PUT method.
|
||||
enum:
|
||||
- GET
|
||||
- POST
|
||||
- PUT
|
||||
type: string
|
||||
revoke:
|
||||
description: Revoke the existing lease on VDS resource deletion.
|
||||
type: boolean
|
||||
rolloutRestartTargets:
|
||||
description: RolloutRestartTargets should be configured whenever the
|
||||
application(s) consuming the Vault secret does not support dynamically
|
||||
reloading a rotated secret. In that case one, or more RolloutRestartTarget(s)
|
||||
can be configured here. The Operator will trigger a "rollout-restart"
|
||||
for each target whenever the Vault secret changes between reconciliation
|
||||
events. See RolloutRestartTarget for more details.
|
||||
items:
|
||||
description: "RolloutRestartTarget provides the configuration required
|
||||
to perform a rollout-restart of the supported resources upon Vault
|
||||
Secret rotation. The rollout-restart is triggered by patching
|
||||
the target resource's 'spec.template.metadata.annotations' to
|
||||
include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp
|
||||
value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt:
|
||||
\"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet,
|
||||
StatefulSet"
|
||||
properties:
|
||||
kind:
|
||||
enum:
|
||||
- Deployment
|
||||
- DaemonSet
|
||||
- StatefulSet
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
vaultAuthRef:
|
||||
description: 'VaultAuthRef to the VaultAuth resource, can be prefixed
|
||||
with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace
|
||||
prefix is provided it will default to namespace of the VaultAuth
|
||||
CR. If no value is specified for VaultAuthRef the Operator will
|
||||
default to the `default` VaultAuth, configured in its own Kubernetes
|
||||
namespace.'
|
||||
type: string
|
||||
required:
|
||||
- destination
|
||||
- mount
|
||||
- path
|
||||
type: object
|
||||
status:
|
||||
description: VaultDynamicSecretStatus defines the observed state of VaultDynamicSecret
|
||||
properties:
|
||||
lastGeneration:
|
||||
description: LastGeneration is the Generation of the last reconciled
|
||||
resource.
|
||||
format: int64
|
||||
type: integer
|
||||
lastRenewalTime:
|
||||
description: LastRenewalTime of the last successful secret lease renewal.
|
||||
format: int64
|
||||
type: integer
|
||||
lastRuntimePodUID:
|
||||
description: LastRuntimePodUID used for tracking the transition from
|
||||
one Pod to the next. It is used to mitigate the effects of a Vault
|
||||
lease renewal storm.
|
||||
type: string
|
||||
secretLease:
|
||||
description: SecretLease for the Vault secret.
|
||||
properties:
|
||||
duration:
|
||||
description: LeaseDuration of the Vault secret.
|
||||
type: integer
|
||||
id:
|
||||
description: ID of the Vault secret.
|
||||
type: string
|
||||
renewable:
|
||||
description: Renewable Vault secret lease
|
||||
type: boolean
|
||||
requestID:
|
||||
description: RequestID of the Vault secret request.
|
||||
type: string
|
||||
required:
|
||||
- duration
|
||||
- id
|
||||
- renewable
|
||||
- requestID
|
||||
type: object
|
||||
secretMAC:
|
||||
description: "SecretMAC used when deciding whether new Vault secret
|
||||
data should be synced. \n The controller will compare the \"new\"
|
||||
Vault secret data to this value using HMAC, if they are different,
|
||||
then the data will be synced to the Destination. \n The SecretMac
|
||||
is also used to detect drift in the Destination Secret's Data. If
|
||||
drift is detected the data will be synced to the Destination. SecretMAC
|
||||
will only be stored when VaultDynamicSecretSpec.AllowStaticCreds
|
||||
is true."
|
||||
type: string
|
||||
staticCredsMetaData:
|
||||
description: StaticCredsMetaData contains the static creds response
|
||||
meta-data
|
||||
properties:
|
||||
lastVaultRotation:
|
||||
description: LastVaultRotation represents the last time Vault
|
||||
rotated the password
|
||||
format: int64
|
||||
type: integer
|
||||
rotationPeriod:
|
||||
description: RotationPeriod is number in seconds between each
|
||||
rotation, effectively a "time to live". This value is compared
|
||||
to the LastVaultRotation to determine if a password needs to
|
||||
be rotated
|
||||
format: int64
|
||||
type: integer
|
||||
rotationSchedule:
|
||||
description: RotationSchedule is a "cron style" string representing
|
||||
the allowed schedule for each rotation. e.g. "1 0 * * *" would
|
||||
rotate at one minute past midnight (00:01) every day.
|
||||
type: string
|
||||
ttl:
|
||||
description: TTL is the seconds remaining before the next rotation.
|
||||
format: int64
|
||||
type: integer
|
||||
required:
|
||||
- lastVaultRotation
|
||||
- rotationPeriod
|
||||
- rotationSchedule
|
||||
- ttl
|
||||
type: object
|
||||
required:
|
||||
- lastGeneration
|
||||
- lastRenewalTime
|
||||
- secretLease
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
|
@ -0,0 +1,219 @@
|
|||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: BUSL-1.1
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: vaultpkisecrets.secrets.hashicorp.com
|
||||
spec:
|
||||
group: secrets.hashicorp.com
|
||||
names:
|
||||
kind: VaultPKISecret
|
||||
listKind: VaultPKISecretList
|
||||
plural: vaultpkisecrets
|
||||
singular: vaultpkisecret
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: VaultPKISecret is the Schema for the vaultpkisecrets API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: VaultPKISecretSpec defines the desired state of VaultPKISecret
|
||||
properties:
|
||||
altNames:
|
||||
description: AltNames to include in the request May contain both DNS
|
||||
names and email addresses.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
clear:
|
||||
description: Clear the Kubernetes secret when the resource is deleted.
|
||||
type: boolean
|
||||
commonName:
|
||||
description: CommonName to include in the request.
|
||||
type: string
|
||||
destination:
|
||||
description: Destination provides configuration necessary for syncing
|
||||
the Vault secret to Kubernetes. If the type is set to "kubernetes.io/tls",
|
||||
"tls.key" will be set to the "private_key" response from Vault,
|
||||
and "tls.crt" will be set to "certificate" + "ca_chain" from the
|
||||
Vault response ("issuing_ca" is used when "ca_chain" is empty).
|
||||
The "remove_roots_from_chain=true" option is used with Vault to
|
||||
exclude the root CA from the Vault response.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations to apply to the Secret. Requires Create
|
||||
to be set to true.
|
||||
type: object
|
||||
create:
|
||||
description: Create the destination Secret. If the Secret already
|
||||
exists this should be set to false.
|
||||
type: boolean
|
||||
labels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Labels to apply to the Secret. Requires Create to
|
||||
be set to true.
|
||||
type: object
|
||||
name:
|
||||
description: Name of the Secret
|
||||
type: string
|
||||
type:
|
||||
description: Type of Kubernetes Secret. Requires Create to be
|
||||
set to true. Defaults to Opaque.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
excludeCNFromSans:
|
||||
description: 'ExcludeCNFromSans from DNS or Email Subject Alternate
|
||||
Names. Default: false'
|
||||
type: boolean
|
||||
expiryOffset:
|
||||
description: ExpiryOffset to use for computing when the certificate
|
||||
should be renewed. The rotation time will be difference between
|
||||
the expiration and the offset. Should be in duration notation e.g.
|
||||
30s, 120s, etc. Set to empty string "" to prevent certificate rotation.
|
||||
type: string
|
||||
format:
|
||||
description: 'Format for the certificate. Choices: "pem", "der", "pem_bundle".
|
||||
If "pem_bundle", any private key and issuing cert will be appended
|
||||
to the certificate pem. If "der", the value will be base64 encoded.
|
||||
Default: pem'
|
||||
type: string
|
||||
ipSans:
|
||||
description: IPSans to include in the request.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
issuerRef:
|
||||
description: IssuerRef reference to an existing PKI issuer, either
|
||||
by Vault-generated identifier, the literal string default to refer
|
||||
to the currently configured default issuer, or the name assigned
|
||||
to an issuer. This parameter is part of the request URL.
|
||||
type: string
|
||||
mount:
|
||||
description: Mount for the secret in Vault
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace to get the secret from in Vault
|
||||
type: string
|
||||
notAfter:
|
||||
description: NotAfter field of the certificate with specified date
|
||||
value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
|
||||
type: string
|
||||
otherSans:
|
||||
description: Requested other SANs, in an array with the format oid;type:value
|
||||
for each entry.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
privateKeyFormat:
|
||||
description: 'PrivateKeyFormat, generally the default will be controlled
|
||||
by the Format parameter as either base64-encoded DER or PEM-encoded
|
||||
DER. However, this can be set to "pkcs8" to have the returned private
|
||||
key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Default:
|
||||
der'
|
||||
type: string
|
||||
revoke:
|
||||
description: Revoke the certificate when the resource is deleted.
|
||||
type: boolean
|
||||
role:
|
||||
description: Role in Vault to use when issuing TLS certificates.
|
||||
type: string
|
||||
rolloutRestartTargets:
|
||||
description: RolloutRestartTargets should be configured whenever the
|
||||
application(s) consuming the Vault secret does not support dynamically
|
||||
reloading a rotated secret. In that case one, or more RolloutRestartTarget(s)
|
||||
can be configured here. The Operator will trigger a "rollout-restart"
|
||||
for each target whenever the Vault secret changes between reconciliation
|
||||
events. See RolloutRestartTarget for more details.
|
||||
items:
|
||||
description: "RolloutRestartTarget provides the configuration required
|
||||
to perform a rollout-restart of the supported resources upon Vault
|
||||
Secret rotation. The rollout-restart is triggered by patching
|
||||
the target resource's 'spec.template.metadata.annotations' to
|
||||
include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp
|
||||
value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt:
|
||||
\"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet,
|
||||
StatefulSet"
|
||||
properties:
|
||||
kind:
|
||||
enum:
|
||||
- Deployment
|
||||
- DaemonSet
|
||||
- StatefulSet
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
ttl:
|
||||
description: 'TTL for the certificate; sets the expiration date. If
|
||||
not specified the Vault role''s default, backend default, or system
|
||||
default TTL is used, in that order. Cannot be larger than the mount''s
|
||||
max TTL. Note: this only has an effect when generating a CA cert
|
||||
or signing a CA cert, not when generating a CSR for an intermediate
|
||||
CA. Should be in duration notation e.g. 120s, 2h, etc.'
|
||||
type: string
|
||||
uriSans:
|
||||
description: The requested URI SANs.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
vaultAuthRef:
|
||||
description: 'VaultAuthRef to the VaultAuth resource, can be prefixed
|
||||
with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace
|
||||
prefix is provided it will default to namespace of the VaultAuth
|
||||
CR. If no value is specified for VaultAuthRef the Operator will
|
||||
default to the `default` VaultAuth, configured in its own Kubernetes
|
||||
namespace.'
|
||||
type: string
|
||||
required:
|
||||
- destination
|
||||
- mount
|
||||
- role
|
||||
type: object
|
||||
status:
|
||||
description: VaultPKISecretStatus defines the observed state of VaultPKISecret
|
||||
properties:
|
||||
error:
|
||||
type: string
|
||||
expiration:
|
||||
format: int64
|
||||
type: integer
|
||||
serialNumber:
|
||||
type: string
|
||||
valid:
|
||||
type: boolean
|
||||
required:
|
||||
- error
|
||||
- valid
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
|
@ -0,0 +1,167 @@
|
|||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: BUSL-1.1
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: vaultstaticsecrets.secrets.hashicorp.com
|
||||
spec:
|
||||
group: secrets.hashicorp.com
|
||||
names:
|
||||
kind: VaultStaticSecret
|
||||
listKind: VaultStaticSecretList
|
||||
plural: vaultstaticsecrets
|
||||
singular: vaultstaticsecret
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: VaultStaticSecret is the Schema for the vaultstaticsecrets API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: VaultStaticSecretSpec defines the desired state of VaultStaticSecret
|
||||
properties:
|
||||
destination:
|
||||
description: Destination provides configuration necessary for syncing
|
||||
the Vault secret to Kubernetes.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations to apply to the Secret. Requires Create
|
||||
to be set to true.
|
||||
type: object
|
||||
create:
|
||||
description: Create the destination Secret. If the Secret already
|
||||
exists this should be set to false.
|
||||
type: boolean
|
||||
labels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Labels to apply to the Secret. Requires Create to
|
||||
be set to true.
|
||||
type: object
|
||||
name:
|
||||
description: Name of the Secret
|
||||
type: string
|
||||
type:
|
||||
description: Type of Kubernetes Secret. Requires Create to be
|
||||
set to true. Defaults to Opaque.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
hmacSecretData:
|
||||
default: true
|
||||
description: HMACSecretData determines whether the Operator computes
|
||||
the HMAC of the Secret's data. The MAC value will be stored in the
|
||||
resource's Status.SecretMac field, and will be used for drift detection
|
||||
and during incoming Vault secret comparison. Enabling this feature
|
||||
is recommended to ensure that Secret's data stays consistent with
|
||||
Vault.
|
||||
type: boolean
|
||||
mount:
|
||||
description: Mount for the secret in Vault
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace to get the secret from in Vault
|
||||
type: string
|
||||
path:
|
||||
description: 'Path of the secret in Vault, corresponds to the `path`
|
||||
parameter for, kv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret
|
||||
kv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version'
|
||||
type: string
|
||||
refreshAfter:
|
||||
description: RefreshAfter a period of time, in duration notation e.g.
|
||||
30s, 1m, 24h
|
||||
pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$
|
||||
type: string
|
||||
rolloutRestartTargets:
|
||||
description: RolloutRestartTargets should be configured whenever the
|
||||
application(s) consuming the Vault secret does not support dynamically
|
||||
reloading a rotated secret. In that case one, or more RolloutRestartTarget(s)
|
||||
can be configured here. The Operator will trigger a "rollout-restart"
|
||||
for each target whenever the Vault secret changes between reconciliation
|
||||
events. All configured targets wil be ignored if HMACSecretData
|
||||
is set to false. See RolloutRestartTarget for more details.
|
||||
items:
|
||||
description: "RolloutRestartTarget provides the configuration required
|
||||
to perform a rollout-restart of the supported resources upon Vault
|
||||
Secret rotation. The rollout-restart is triggered by patching
|
||||
the target resource's 'spec.template.metadata.annotations' to
|
||||
include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp
|
||||
value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt:
|
||||
\"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet,
|
||||
StatefulSet"
|
||||
properties:
|
||||
kind:
|
||||
enum:
|
||||
- Deployment
|
||||
- DaemonSet
|
||||
- StatefulSet
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type:
|
||||
description: Type of the Vault static secret
|
||||
enum:
|
||||
- kv-v1
|
||||
- kv-v2
|
||||
type: string
|
||||
vaultAuthRef:
|
||||
description: 'VaultAuthRef to the VaultAuth resource, can be prefixed
|
||||
with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace
|
||||
prefix is provided it will default to namespace of the VaultAuth
|
||||
CR. If no value is specified for VaultAuthRef the Operator will
|
||||
default to the `default` VaultAuth, configured in its own Kubernetes
|
||||
namespace.'
|
||||
type: string
|
||||
version:
|
||||
description: 'Version of the secret to fetch. Only valid for type
|
||||
kv-v2. Corresponds to version query parameter: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version'
|
||||
minimum: 0
|
||||
type: integer
|
||||
required:
|
||||
- destination
|
||||
- mount
|
||||
- path
|
||||
- type
|
||||
type: object
|
||||
status:
|
||||
description: VaultStaticSecretStatus defines the observed state of VaultStaticSecret
|
||||
properties:
|
||||
secretMAC:
|
||||
description: "SecretMAC used when deciding whether new Vault secret
|
||||
data should be synced. \n The controller will compare the \"new\"
|
||||
Vault secret data to this value using HMAC, if they are different,
|
||||
then the data will be synced to the Destination. \n The SecretMac
|
||||
is also used to detect drift in the Destination Secret's Data. If
|
||||
drift is detected the data will be synced to the Destination."
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
Loading…
Reference in New Issue