2martens
/
cloud-configuration
mirror of https://github.com/2martens/cloud-configuration.git
1
0
Fork 0
Code Issues

fix(vault): Add vault support to monitoring cluster

This commit is contained in:
Jim Martens 2024-02-03 21:57:59 +01:00
parent 92831a5130
commit 4fcea19d40
Signed by: 2martens
GPG Key ID: 47393ABD1F96B7C8
14 changed files with 1313 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
argocd/vault-secrets-operator/monitoring/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: vault-secrets-operator
repository: https://helm.releases.hashicorp.com
version: 0.3.4
digest: sha256:31a1abfdb72e2bbda888425b359389c93ae44e9f614e28e227181e69a0af08a7
generated: "2023-11-06T08:00:20.832546+01:00"

9
argocd/vault-secrets-operator/monitoring/Chart.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v2
name: vault-secrets-operator
version: 0.1.0
type: application
description: "Installs the authentication to communicate with HCP secrets"
dependencies:
- name: vault-secrets-operator
version: 0.3.4
repository: https://helm.releases.hashicorp.com

4
argocd/vault-secrets-operator/monitoring/argocd_values.yaml Normal file
View File

@ -0,0 +1,4 @@
organizationId: "2015ed6d-3c84-48d5-9aca-99b0034b8b5a"
projectId: "21153839-1630-4f55-9803-0220e3af458d"
allowedNamespaces:
- name: hcloud

73
argocd/vault-secrets-operator/monitoring/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,73 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "template.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "template.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "template.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "template.labels" -}}
helm.sh/chart: {{ include "template.chart" . }}
{{ include "template.selectorLabels" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "template.selectorLabels" -}}
app.kubernetes.io/name: {{ include "template.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "template.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "template.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- /*
template.util.merge will merge two YAML templates and output the result.
This takes an array of three values:
- the top context
- the template name of the overrides (destination)
- the template name of the base (source)
*/}}
{{- define "template.util.merge" -}}
{{- $top := first . -}}
{{- $overrides := fromYaml (include (index . 1) $top) | default (dict ) -}}
{{- $tpl := fromYaml (include (index . 2) $top) | default (dict ) -}}
{{- toYaml (merge $overrides $tpl) -}}
{{- end -}}

17
argocd/vault-secrets-operator/monitoring/templates/hcpauth.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: HCPAuth
metadata:
name: hcp-auth
namespace: {{ .Release.Namespace }}
labels:
{{- include "template.labels" . | nindent 4 }}
spec:
organizationID: {{ .Values.organizationId }}
projectID: {{ .Values.projectId }}
allowedNamespaces:
- {{ .Release.Namespace }}
{{- range .Values.allowedNamespaces }}
- {{ .name }}
{{- end }}
servicePrincipal:
secretRef: vault-service-principal

3
argocd/vault-secrets-operator/monitoring/values.yaml Normal file
View File

@ -0,0 +1,3 @@
organizationId: ""
projectId: ""
allowedNamespaces: []

5
argocd/vso-crds/monitoring/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v2
name: vso-crds
description: CRDs for the vault-secrets-operator
type: application
version: 0.1.0

100
argocd/vso-crds/monitoring/templates/crds/secrets.hashicorp.com_hcpauths.yaml Normal file
View File

@ -0,0 +1,100 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: hcpauths.secrets.hashicorp.com
spec:
group: secrets.hashicorp.com
names:
kind: HCPAuth
listKind: HCPAuthList
plural: hcpauths
singular: hcpauth
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: HCPAuth is the Schema for the hcpauths API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: HCPAuthSpec defines the desired state of HCPAuth
properties:
allowedNamespaces:
description: 'AllowedNamespaces Kubernetes Namespaces which are allow-listed
for use with this AuthMethod. This field allows administrators to
customize which Kubernetes namespaces are authorized to use with
this AuthMethod. While Vault will still enforce its own rules, this
has the added configurability of restricting which HCPAuthMethods
can be used by which namespaces. Accepted values: []{"*"} - wildcard,
all namespaces. []{"a", "b"} - list of namespaces. unset - disallow
all namespaces except the Operator''s the HCPAuthMethod''s namespace,
this is the default behavior.'
items:
type: string
type: array
method:
default: servicePrincipal
description: Method to use when authenticating to Vault.
enum:
- servicePrincipal
type: string
organizationID:
description: OrganizationID of the HCP organization.
type: string
projectID:
description: ProjectID of the HCP project.
type: string
servicePrincipal:
description: ServicePrincipal provides the necessary configuration
for authenticating to HCP using a service principal. For security
reasons, only project-level service principals should ever be used.
properties:
secretRef:
description: 'SecretRef is the name of a Kubernetes secret in
the consumer''s (VDS/VSS/PKI/HCP) namespace which provides the
HCP ServicePrincipal clientID, and clientSecret. The secret
data must have the following structure { "clientID": "clientID",
"clientSecret": "clientSecret", }'
type: string
required:
- secretRef
type: object
required:
- organizationID
- projectID
type: object
status:
description: HCPAuthStatus defines the observed state of HCPAuth
properties:
error:
type: string
valid:
description: Valid auth mechanism.
type: boolean
required:
- error
- valid
type: object
type: object
served: true
storage: true
subresources:
status: {}

140
argocd/vso-crds/monitoring/templates/crds/secrets.hashicorp.com_hcpvaultsecretsapps.yaml Normal file
View File

@ -0,0 +1,140 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: hcpvaultsecretsapps.secrets.hashicorp.com
spec:
group: secrets.hashicorp.com
names:
kind: HCPVaultSecretsApp
listKind: HCPVaultSecretsAppList
plural: hcpvaultsecretsapps
singular: hcpvaultsecretsapp
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: HCPVaultSecretsApp is the Schema for the hcpvaultsecretsapps
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: HCPVaultSecretsAppSpec defines the desired state of HCPVaultSecretsApp
properties:
appName:
description: AppName of the Vault Secrets Application that is to be
synced.
type: string
destination:
description: Destination provides configuration necessary for syncing
the HCP Vault Application secrets to Kubernetes.
properties:
annotations:
additionalProperties:
type: string
description: Annotations to apply to the Secret. Requires Create
to be set to true.
type: object
create:
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
labels:
additionalProperties:
type: string
description: Labels to apply to the Secret. Requires Create to
be set to true.
type: object
name:
description: Name of the Secret
type: string
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- name
type: object
hcpAuthRef:
description: 'HCPAuthRef to the HCPAuth resource, can be prefixed
with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace
prefix is provided it will default to the namespace of the HCPAuth
CR. If no value is specified for HCPAuthRef the Operator will default
to the `default` HCPAuth, configured in its own Kubernetes namespace.
HCPAuthRef string `json:"hcpAuthRef,omitempty"`'
type: string
refreshAfter:
default: 600s
description: RefreshAfter a period of time, in duration notation e.g.
30s, 1m, 24h
pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$
type: string
rolloutRestartTargets:
description: RolloutRestartTargets should be configured whenever the
application(s) consuming the HCP Vault Secrets App does not support
dynamically reloading a rotated secret. In that case one, or more
RolloutRestartTarget(s) can be configured here. The Operator will
trigger a "rollout-restart" for each target whenever the Vault secret
changes between reconciliation events. See RolloutRestartTarget
for more details.
items:
description: "RolloutRestartTarget provides the configuration required
to perform a rollout-restart of the supported resources upon Vault
Secret rotation. The rollout-restart is triggered by patching
the target resource's 'spec.template.metadata.annotations' to
include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp
value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt:
\"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet,
StatefulSet"
properties:
kind:
enum:
- Deployment
- DaemonSet
- StatefulSet
type: string
name:
type: string
required:
- kind
- name
type: object
type: array
required:
- appName
- destination
type: object
status:
description: HCPVaultSecretsAppStatus defines the observed state of HCPVaultSecretsApp
properties:
secretMAC:
description: "SecretMAC used when deciding whether new Vault secret
data should be synced. \n The controller will compare the \"new\"
HCP Vault Secrets App data to this value using HMAC, if they are
different, then the data will be synced to the Destination. \n The
SecretMac is also used to detect drift in the Destination Secret's
Data. If drift is detected the data will be synced to the Destination."
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

243
argocd/vso-crds/monitoring/templates/crds/secrets.hashicorp.com_vaultauths.yaml Normal file
View File

@ -0,0 +1,243 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: vaultauths.secrets.hashicorp.com
spec:
group: secrets.hashicorp.com
names:
kind: VaultAuth
listKind: VaultAuthList
plural: vaultauths
singular: vaultauth
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: VaultAuth is the Schema for the vaultauths API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VaultAuthSpec defines the desired state of VaultAuth
properties:
allowedNamespaces:
description: 'AllowedNamespaces Kubernetes Namespaces which are allow-listed
for use with this AuthMethod. This field allows administrators to
customize which Kubernetes namespaces are authorized to use with
this AuthMethod. While Vault will still enforce its own rules, this
has the added configurability of restricting which VaultAuthMethods
can be used by which namespaces. Accepted values: []{"*"} - wildcard,
all namespaces. []{"a", "b"} - list of namespaces. unset - disallow
all namespaces except the Operator''s the VaultAuthMethod''s namespace,
this is the default behavior.'
items:
type: string
type: array
appRole:
description: AppRole specific auth configuration, requires that the
Method be set to `appRole`.
properties:
roleId:
description: RoleID of the AppRole Role to use for authenticating
to Vault.
type: string
secretRef:
description: SecretRef is the name of a Kubernetes secret in the
consumer's (VDS/VSS/PKI) namespace which provides the AppRole
Role's SecretID. The secret must have a key named `id` which
holds the AppRole Role's secretID.
type: string
required:
- roleId
- secretRef
type: object
aws:
description: AWS specific auth configuration, requires that Method
be set to `aws`.
properties:
headerValue:
description: The Vault header value to include in the STS signing
request
type: string
iamEndpoint:
description: The IAM endpoint to use; if not set will use the
default
type: string
irsaServiceAccount:
description: 'IRSAServiceAccount name to use with IAM Roles for
Service Accounts (IRSA), and should be annotated with "eks.amazonaws.com/role-arn".
This ServiceAccount will be checked for other EKS annotations:
eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration'
type: string
region:
description: AWS Region to use for signing the authentication
request
type: string
role:
description: Vault role to use for authenticating
type: string
secretRef:
description: SecretRef is the name of a Kubernetes Secret which
holds credentials for AWS. Expected keys include `access_key_id`,
`secret_access_key`, `session_token`
type: string
sessionName:
description: The role session name to use when creating a webidentity
provider
type: string
stsEndpoint:
description: The STS endpoint to use; if not set will use the
default
type: string
required:
- role
type: object
headers:
additionalProperties:
type: string
description: Headers to be included in all Vault requests.
type: object
jwt:
description: JWT specific auth configuration, requires that the Method
be set to `jwt`.
properties:
audiences:
description: TokenAudiences to include in the ServiceAccount token.
items:
type: string
type: array
role:
description: Role to use for authenticating to Vault.
type: string
secretRef:
description: SecretRef is the name of a Kubernetes secret in the
consumer's (VDS/VSS/PKI) namespace which provides the JWT token
to authenticate to Vault's JWT authentication backend. The secret
must have a key named `jwt` which holds the JWT token.
type: string
serviceAccount:
description: ServiceAccount to use when creating a ServiceAccount
token to authenticate to Vault's JWT authentication backend.
type: string
tokenExpirationSeconds:
default: 600
description: TokenExpirationSeconds to set the ServiceAccount
token.
format: int64
minimum: 600
type: integer
required:
- role
type: object
kubernetes:
description: Kubernetes specific auth configuration, requires that
the Method be set to `kubernetes`.
properties:
audiences:
description: TokenAudiences to include in the ServiceAccount token.
items:
type: string
type: array
role:
description: Role to use for authenticating to Vault.
type: string
serviceAccount:
description: ServiceAccount to use when authenticating to Vault's
kubernetes authentication backend.
type: string
tokenExpirationSeconds:
default: 600
description: TokenExpirationSeconds to set the ServiceAccount
token.
format: int64
minimum: 600
type: integer
required:
- role
- serviceAccount
type: object
method:
description: Method to use when authenticating to Vault.
enum:
- kubernetes
- jwt
- appRole
- aws
type: string
mount:
description: Mount to use when authenticating to auth method.
type: string
namespace:
description: Namespace to auth to in Vault
type: string
params:
additionalProperties:
type: string
description: Params to use when authenticating to Vault
type: object
storageEncryption:
description: 'StorageEncryption provides the necessary configuration
to encrypt the client storage cache. This should only be configured
when client cache persistence with encryption is enabled. This is
done by passing setting the manager''s commandline argument --client-cache-persistence-model=direct-encrypted.
Typically, there should only ever be one VaultAuth configured with
StorageEncryption in the Cluster, and it should have the label:
cacheStorageEncryption=true'
properties:
keyName:
description: KeyName to use for encrypt/decrypt operations via
Vault Transit.
type: string
mount:
description: Mount path of the Transit engine in Vault.
type: string
required:
- keyName
- mount
type: object
vaultConnectionRef:
description: "VaultConnectionRef to the VaultConnection resource,
can be prefixed with a namespace, eg: `namespaceA/vaultConnectionRefB`.
If no namespace prefix is provided it will default to namespace
of the VaultConnection CR. If no value is specified for VaultConnectionRef
the Operator will default to\t`default` VaultConnection, configured
in its own Kubernetes namespace."
type: string
required:
- method
- mount
type: object
status:
description: VaultAuthStatus defines the observed state of VaultAuth
properties:
error:
type: string
valid:
description: Valid auth mechanism.
type: boolean
required:
- error
- valid
type: object
type: object
served: true
storage: true
subresources:
status: {}

74
argocd/vso-crds/monitoring/templates/crds/secrets.hashicorp.com_vaultconnections.yaml Normal file
View File

@ -0,0 +1,74 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: vaultconnections.secrets.hashicorp.com
spec:
group: secrets.hashicorp.com
names:
kind: VaultConnection
listKind: VaultConnectionList
plural: vaultconnections
singular: vaultconnection
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: VaultConnection is the Schema for the vaultconnections API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VaultConnectionSpec defines the desired state of VaultConnection
properties:
address:
description: Address of the Vault server
type: string
caCertSecretRef:
description: CACertSecretRef is the name of a Kubernetes secret containing
the trusted PEM encoded CA certificate chain as `ca.crt`.
type: string
headers:
additionalProperties:
type: string
description: Headers to be included in all Vault requests.
type: object
skipTLSVerify:
description: SkipTLSVerify for TLS connections.
type: boolean
tlsServerName:
description: TLSServerName to use as the SNI host for TLS connections.
type: string
required:
- address
type: object
status:
description: VaultConnectionStatus defines the observed state of VaultConnection
properties:
valid:
description: Valid auth mechanism.
type: boolean
required:
- valid
type: object
type: object
served: true
storage: true
subresources:
status: {}

253
argocd/vso-crds/monitoring/templates/crds/secrets.hashicorp.com_vaultdynamicsecrets.yaml Normal file
View File

@ -0,0 +1,253 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: vaultdynamicsecrets.secrets.hashicorp.com
spec:
group: secrets.hashicorp.com
names:
kind: VaultDynamicSecret
listKind: VaultDynamicSecretList
plural: vaultdynamicsecrets
singular: vaultdynamicsecret
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: VaultDynamicSecret is the Schema for the vaultdynamicsecrets
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VaultDynamicSecretSpec defines the desired state of VaultDynamicSecret
properties:
allowStaticCreds:
description: AllowStaticCreds should be set when syncing credentials
that are periodically rotated by the Vault server, rather than created
upon request. These secrets are sometimes referred to as "static
roles", or "static credentials", with a request path that contains
"static-creds".
type: boolean
destination:
description: Destination provides configuration necessary for syncing
the Vault secret to Kubernetes.
properties:
annotations:
additionalProperties:
type: string
description: Annotations to apply to the Secret. Requires Create
to be set to true.
type: object
create:
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
labels:
additionalProperties:
type: string
description: Labels to apply to the Secret. Requires Create to
be set to true.
type: object
name:
description: Name of the Secret
type: string
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- name
type: object
mount:
description: Mount path of the secret's engine in Vault.
type: string
namespace:
description: Namespace where the secrets engine is mounted in Vault.
type: string
params:
additionalProperties:
type: string
description: Params that can be passed when requesting credentials/secrets.
When Params is set the configured RequestHTTPMethod will be ignored.
See RequestHTTPMethod for more details. Please consult https://developer.hashicorp.com/vault/docs/secrets
if you are uncertain about what 'params' should/can be set to.
type: object
path:
description: Path in Vault to get the credentials for, and is relative
to Mount. Please consult https://developer.hashicorp.com/vault/docs/secrets
if you are uncertain about what 'path' should be set to.
type: string
renewalPercent:
default: 67
description: RenewalPercent is the percent out of 100 of the lease
duration when the lease is renewed. Defaults to 67 percent plus
jitter.
maximum: 90
minimum: 0
type: integer
requestHTTPMethod:
description: RequestHTTPMethod to use when syncing Secrets from Vault.
Setting a value here is not typically required. If left unset the
Operator will make requests using the GET method. In the case where
Params are specified the Operator will use the PUT method. Please
consult https://developer.hashicorp.com/vault/docs/secrets if you
are uncertain about what method to use. Of note, the Vault client
treats PUT and POST as being equivalent. The underlying Vault client
implementation will always use the PUT method.
enum:
- GET
- POST
- PUT
type: string
revoke:
description: Revoke the existing lease on VDS resource deletion.
type: boolean
rolloutRestartTargets:
description: RolloutRestartTargets should be configured whenever the
application(s) consuming the Vault secret does not support dynamically
reloading a rotated secret. In that case one, or more RolloutRestartTarget(s)
can be configured here. The Operator will trigger a "rollout-restart"
for each target whenever the Vault secret changes between reconciliation
events. See RolloutRestartTarget for more details.
items:
description: "RolloutRestartTarget provides the configuration required
to perform a rollout-restart of the supported resources upon Vault
Secret rotation. The rollout-restart is triggered by patching
the target resource's 'spec.template.metadata.annotations' to
include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp
value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt:
\"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet,
StatefulSet"
properties:
kind:
enum:
- Deployment
- DaemonSet
- StatefulSet
type: string
name:
type: string
required:
- kind
- name
type: object
type: array
vaultAuthRef:
description: 'VaultAuthRef to the VaultAuth resource, can be prefixed
with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace
prefix is provided it will default to namespace of the VaultAuth
CR. If no value is specified for VaultAuthRef the Operator will
default to the `default` VaultAuth, configured in its own Kubernetes
namespace.'
type: string
required:
- destination
- mount
- path
type: object
status:
description: VaultDynamicSecretStatus defines the observed state of VaultDynamicSecret
properties:
lastGeneration:
description: LastGeneration is the Generation of the last reconciled
resource.
format: int64
type: integer
lastRenewalTime:
description: LastRenewalTime of the last successful secret lease renewal.
format: int64
type: integer
lastRuntimePodUID:
description: LastRuntimePodUID used for tracking the transition from
one Pod to the next. It is used to mitigate the effects of a Vault
lease renewal storm.
type: string
secretLease:
description: SecretLease for the Vault secret.
properties:
duration:
description: LeaseDuration of the Vault secret.
type: integer
id:
description: ID of the Vault secret.
type: string
renewable:
description: Renewable Vault secret lease
type: boolean
requestID:
description: RequestID of the Vault secret request.
type: string
required:
- duration
- id
- renewable
- requestID
type: object
secretMAC:
description: "SecretMAC used when deciding whether new Vault secret
data should be synced. \n The controller will compare the \"new\"
Vault secret data to this value using HMAC, if they are different,
then the data will be synced to the Destination. \n The SecretMac
is also used to detect drift in the Destination Secret's Data. If
drift is detected the data will be synced to the Destination. SecretMAC
will only be stored when VaultDynamicSecretSpec.AllowStaticCreds
is true."
type: string
staticCredsMetaData:
description: StaticCredsMetaData contains the static creds response
meta-data
properties:
lastVaultRotation:
description: LastVaultRotation represents the last time Vault
rotated the password
format: int64
type: integer
rotationPeriod:
description: RotationPeriod is number in seconds between each
rotation, effectively a "time to live". This value is compared
to the LastVaultRotation to determine if a password needs to
be rotated
format: int64
type: integer
rotationSchedule:
description: RotationSchedule is a "cron style" string representing
the allowed schedule for each rotation. e.g. "1 0 * * *" would
rotate at one minute past midnight (00:01) every day.
type: string
ttl:
description: TTL is the seconds remaining before the next rotation.
format: int64
type: integer
required:
- lastVaultRotation
- rotationPeriod
- rotationSchedule
- ttl
type: object
required:
- lastGeneration
- lastRenewalTime
- secretLease
type: object
type: object
served: true
storage: true
subresources:
status: {}

219
argocd/vso-crds/monitoring/templates/crds/secrets.hashicorp.com_vaultpkisecrets.yaml Normal file
View File

@ -0,0 +1,219 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: vaultpkisecrets.secrets.hashicorp.com
spec:
group: secrets.hashicorp.com
names:
kind: VaultPKISecret
listKind: VaultPKISecretList
plural: vaultpkisecrets
singular: vaultpkisecret
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: VaultPKISecret is the Schema for the vaultpkisecrets API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VaultPKISecretSpec defines the desired state of VaultPKISecret
properties:
altNames:
description: AltNames to include in the request May contain both DNS
names and email addresses.
items:
type: string
type: array
clear:
description: Clear the Kubernetes secret when the resource is deleted.
type: boolean
commonName:
description: CommonName to include in the request.
type: string
destination:
description: Destination provides configuration necessary for syncing
the Vault secret to Kubernetes. If the type is set to "kubernetes.io/tls",
"tls.key" will be set to the "private_key" response from Vault,
and "tls.crt" will be set to "certificate" + "ca_chain" from the
Vault response ("issuing_ca" is used when "ca_chain" is empty).
The "remove_roots_from_chain=true" option is used with Vault to
exclude the root CA from the Vault response.
properties:
annotations:
additionalProperties:
type: string
description: Annotations to apply to the Secret. Requires Create
to be set to true.
type: object
create:
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
labels:
additionalProperties:
type: string
description: Labels to apply to the Secret. Requires Create to
be set to true.
type: object
name:
description: Name of the Secret
type: string
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- name
type: object
excludeCNFromSans:
description: 'ExcludeCNFromSans from DNS or Email Subject Alternate
Names. Default: false'
type: boolean
expiryOffset:
description: ExpiryOffset to use for computing when the certificate
should be renewed. The rotation time will be difference between
the expiration and the offset. Should be in duration notation e.g.
30s, 120s, etc. Set to empty string "" to prevent certificate rotation.
type: string
format:
description: 'Format for the certificate. Choices: "pem", "der", "pem_bundle".
If "pem_bundle", any private key and issuing cert will be appended
to the certificate pem. If "der", the value will be base64 encoded.
Default: pem'
type: string
ipSans:
description: IPSans to include in the request.
items:
type: string
type: array
issuerRef:
description: IssuerRef reference to an existing PKI issuer, either
by Vault-generated identifier, the literal string default to refer
to the currently configured default issuer, or the name assigned
to an issuer. This parameter is part of the request URL.
type: string
mount:
description: Mount for the secret in Vault
type: string
namespace:
description: Namespace to get the secret from in Vault
type: string
notAfter:
description: NotAfter field of the certificate with specified date
value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
type: string
otherSans:
description: Requested other SANs, in an array with the format oid;type:value
for each entry.
items:
type: string
type: array
privateKeyFormat:
description: 'PrivateKeyFormat, generally the default will be controlled
by the Format parameter as either base64-encoded DER or PEM-encoded
DER. However, this can be set to "pkcs8" to have the returned private
key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Default:
der'
type: string
revoke:
description: Revoke the certificate when the resource is deleted.
type: boolean
role:
description: Role in Vault to use when issuing TLS certificates.
type: string
rolloutRestartTargets:
description: RolloutRestartTargets should be configured whenever the
application(s) consuming the Vault secret does not support dynamically
reloading a rotated secret. In that case one, or more RolloutRestartTarget(s)
can be configured here. The Operator will trigger a "rollout-restart"
for each target whenever the Vault secret changes between reconciliation
events. See RolloutRestartTarget for more details.
items:
description: "RolloutRestartTarget provides the configuration required
to perform a rollout-restart of the supported resources upon Vault
Secret rotation. The rollout-restart is triggered by patching
the target resource's 'spec.template.metadata.annotations' to
include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp
value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt:
\"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet,
StatefulSet"
properties:
kind:
enum:
- Deployment
- DaemonSet
- StatefulSet
type: string
name:
type: string
required:
- kind
- name
type: object
type: array
ttl:
description: 'TTL for the certificate; sets the expiration date. If
not specified the Vault role''s default, backend default, or system
default TTL is used, in that order. Cannot be larger than the mount''s
max TTL. Note: this only has an effect when generating a CA cert
or signing a CA cert, not when generating a CSR for an intermediate
CA. Should be in duration notation e.g. 120s, 2h, etc.'
type: string
uriSans:
description: The requested URI SANs.
items:
type: string
type: array
vaultAuthRef:
description: 'VaultAuthRef to the VaultAuth resource, can be prefixed
with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace
prefix is provided it will default to namespace of the VaultAuth
CR. If no value is specified for VaultAuthRef the Operator will
default to the `default` VaultAuth, configured in its own Kubernetes
namespace.'
type: string
required:
- destination
- mount
- role
type: object
status:
description: VaultPKISecretStatus defines the observed state of VaultPKISecret
properties:
error:
type: string
expiration:
format: int64
type: integer
serialNumber:
type: string
valid:
type: boolean
required:
- error
- valid
type: object
type: object
served: true
storage: true
subresources:
status: {}

167
argocd/vso-crds/monitoring/templates/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml Normal file
View File

@ -0,0 +1,167 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: vaultstaticsecrets.secrets.hashicorp.com
spec:
group: secrets.hashicorp.com
names:
kind: VaultStaticSecret
listKind: VaultStaticSecretList
plural: vaultstaticsecrets
singular: vaultstaticsecret
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: VaultStaticSecret is the Schema for the vaultstaticsecrets API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VaultStaticSecretSpec defines the desired state of VaultStaticSecret
properties:
destination:
description: Destination provides configuration necessary for syncing
the Vault secret to Kubernetes.
properties:
annotations:
additionalProperties:
type: string
description: Annotations to apply to the Secret. Requires Create
to be set to true.
type: object
create:
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
labels:
additionalProperties:
type: string
description: Labels to apply to the Secret. Requires Create to
be set to true.
type: object
name:
description: Name of the Secret
type: string
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- name
type: object
hmacSecretData:
default: true
description: HMACSecretData determines whether the Operator computes
the HMAC of the Secret's data. The MAC value will be stored in the
resource's Status.SecretMac field, and will be used for drift detection
and during incoming Vault secret comparison. Enabling this feature
is recommended to ensure that Secret's data stays consistent with
Vault.
type: boolean
mount:
description: Mount for the secret in Vault
type: string
namespace:
description: Namespace to get the secret from in Vault
type: string
path:
description: 'Path of the secret in Vault, corresponds to the `path`
parameter for, kv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret
kv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version'
type: string
refreshAfter:
description: RefreshAfter a period of time, in duration notation e.g.
30s, 1m, 24h
pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$
type: string
rolloutRestartTargets:
description: RolloutRestartTargets should be configured whenever the
application(s) consuming the Vault secret does not support dynamically
reloading a rotated secret. In that case one, or more RolloutRestartTarget(s)
can be configured here. The Operator will trigger a "rollout-restart"
for each target whenever the Vault secret changes between reconciliation
events. All configured targets wil be ignored if HMACSecretData
is set to false. See RolloutRestartTarget for more details.
items:
description: "RolloutRestartTarget provides the configuration required
to perform a rollout-restart of the supported resources upon Vault
Secret rotation. The rollout-restart is triggered by patching
the target resource's 'spec.template.metadata.annotations' to
include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp
value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt:
\"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet,
StatefulSet"
properties:
kind:
enum:
- Deployment
- DaemonSet
- StatefulSet
type: string
name:
type: string
required:
- kind
- name
type: object
type: array
type:
description: Type of the Vault static secret
enum:
- kv-v1
- kv-v2
type: string
vaultAuthRef:
description: 'VaultAuthRef to the VaultAuth resource, can be prefixed
with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace
prefix is provided it will default to namespace of the VaultAuth
CR. If no value is specified for VaultAuthRef the Operator will
default to the `default` VaultAuth, configured in its own Kubernetes
namespace.'
type: string
version:
description: 'Version of the secret to fetch. Only valid for type
kv-v2. Corresponds to version query parameter: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version'
minimum: 0
type: integer
required:
- destination
- mount
- path
- type
type: object
status:
description: VaultStaticSecretStatus defines the observed state of VaultStaticSecret
properties:
secretMAC:
description: "SecretMAC used when deciding whether new Vault secret
data should be synced. \n The controller will compare the \"new\"
Vault secret data to this value using HMAC, if they are different,
then the data will be synced to the Destination. \n The SecretMac
is also used to detect drift in the Destination Secret's Data. If
drift is detected the data will be synced to the Destination."
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}