141 lines
6.3 KiB
YAML
141 lines
6.3 KiB
YAML
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.13.0
|
|
name: hcpvaultsecretsapps.secrets.hashicorp.com
|
|
spec:
|
|
group: secrets.hashicorp.com
|
|
names:
|
|
kind: HCPVaultSecretsApp
|
|
listKind: HCPVaultSecretsAppList
|
|
plural: hcpvaultsecretsapps
|
|
singular: hcpvaultsecretsapp
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: HCPVaultSecretsApp is the Schema for the hcpvaultsecretsapps
|
|
API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: HCPVaultSecretsAppSpec defines the desired state of HCPVaultSecretsApp
|
|
properties:
|
|
appName:
|
|
description: AppName of the Vault Secrets Application that is to be
|
|
synced.
|
|
type: string
|
|
destination:
|
|
description: Destination provides configuration necessary for syncing
|
|
the HCP Vault Application secrets to Kubernetes.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations to apply to the Secret. Requires Create
|
|
to be set to true.
|
|
type: object
|
|
create:
|
|
description: Create the destination Secret. If the Secret already
|
|
exists this should be set to false.
|
|
type: boolean
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels to apply to the Secret. Requires Create to
|
|
be set to true.
|
|
type: object
|
|
name:
|
|
description: Name of the Secret
|
|
type: string
|
|
type:
|
|
description: Type of Kubernetes Secret. Requires Create to be
|
|
set to true. Defaults to Opaque.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
hcpAuthRef:
|
|
description: 'HCPAuthRef to the HCPAuth resource, can be prefixed
|
|
with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace
|
|
prefix is provided it will default to the namespace of the HCPAuth
|
|
CR. If no value is specified for HCPAuthRef the Operator will default
|
|
to the `default` HCPAuth, configured in its own Kubernetes namespace.
|
|
HCPAuthRef string `json:"hcpAuthRef,omitempty"`'
|
|
type: string
|
|
refreshAfter:
|
|
default: 600s
|
|
description: RefreshAfter a period of time, in duration notation e.g.
|
|
30s, 1m, 24h
|
|
pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$
|
|
type: string
|
|
rolloutRestartTargets:
|
|
description: RolloutRestartTargets should be configured whenever the
|
|
application(s) consuming the HCP Vault Secrets App does not support
|
|
dynamically reloading a rotated secret. In that case one, or more
|
|
RolloutRestartTarget(s) can be configured here. The Operator will
|
|
trigger a "rollout-restart" for each target whenever the Vault secret
|
|
changes between reconciliation events. See RolloutRestartTarget
|
|
for more details.
|
|
items:
|
|
description: "RolloutRestartTarget provides the configuration required
|
|
to perform a rollout-restart of the supported resources upon Vault
|
|
Secret rotation. The rollout-restart is triggered by patching
|
|
the target resource's 'spec.template.metadata.annotations' to
|
|
include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp
|
|
value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt:
|
|
\"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet,
|
|
StatefulSet"
|
|
properties:
|
|
kind:
|
|
enum:
|
|
- Deployment
|
|
- DaemonSet
|
|
- StatefulSet
|
|
type: string
|
|
name:
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
required:
|
|
- appName
|
|
- destination
|
|
type: object
|
|
status:
|
|
description: HCPVaultSecretsAppStatus defines the observed state of HCPVaultSecretsApp
|
|
properties:
|
|
secretMAC:
|
|
description: "SecretMAC used when deciding whether new Vault secret
|
|
data should be synced. \n The controller will compare the \"new\"
|
|
HCP Vault Secrets App data to this value using HMAC, if they are
|
|
different, then the data will be synced to the Destination. \n The
|
|
SecretMac is also used to detect drift in the Destination Secret's
|
|
Data. If drift is detected the data will be synced to the Destination."
|
|
type: string
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|