254 lines
12 KiB
YAML
254 lines
12 KiB
YAML
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.13.0
|
|
name: vaultdynamicsecrets.secrets.hashicorp.com
|
|
spec:
|
|
group: secrets.hashicorp.com
|
|
names:
|
|
kind: VaultDynamicSecret
|
|
listKind: VaultDynamicSecretList
|
|
plural: vaultdynamicsecrets
|
|
singular: vaultdynamicsecret
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: VaultDynamicSecret is the Schema for the vaultdynamicsecrets
|
|
API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: VaultDynamicSecretSpec defines the desired state of VaultDynamicSecret
|
|
properties:
|
|
allowStaticCreds:
|
|
description: AllowStaticCreds should be set when syncing credentials
|
|
that are periodically rotated by the Vault server, rather than created
|
|
upon request. These secrets are sometimes referred to as "static
|
|
roles", or "static credentials", with a request path that contains
|
|
"static-creds".
|
|
type: boolean
|
|
destination:
|
|
description: Destination provides configuration necessary for syncing
|
|
the Vault secret to Kubernetes.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations to apply to the Secret. Requires Create
|
|
to be set to true.
|
|
type: object
|
|
create:
|
|
description: Create the destination Secret. If the Secret already
|
|
exists this should be set to false.
|
|
type: boolean
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels to apply to the Secret. Requires Create to
|
|
be set to true.
|
|
type: object
|
|
name:
|
|
description: Name of the Secret
|
|
type: string
|
|
type:
|
|
description: Type of Kubernetes Secret. Requires Create to be
|
|
set to true. Defaults to Opaque.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
mount:
|
|
description: Mount path of the secret's engine in Vault.
|
|
type: string
|
|
namespace:
|
|
description: Namespace where the secrets engine is mounted in Vault.
|
|
type: string
|
|
params:
|
|
additionalProperties:
|
|
type: string
|
|
description: Params that can be passed when requesting credentials/secrets.
|
|
When Params is set the configured RequestHTTPMethod will be ignored.
|
|
See RequestHTTPMethod for more details. Please consult https://developer.hashicorp.com/vault/docs/secrets
|
|
if you are uncertain about what 'params' should/can be set to.
|
|
type: object
|
|
path:
|
|
description: Path in Vault to get the credentials for, and is relative
|
|
to Mount. Please consult https://developer.hashicorp.com/vault/docs/secrets
|
|
if you are uncertain about what 'path' should be set to.
|
|
type: string
|
|
renewalPercent:
|
|
default: 67
|
|
description: RenewalPercent is the percent out of 100 of the lease
|
|
duration when the lease is renewed. Defaults to 67 percent plus
|
|
jitter.
|
|
maximum: 90
|
|
minimum: 0
|
|
type: integer
|
|
requestHTTPMethod:
|
|
description: RequestHTTPMethod to use when syncing Secrets from Vault.
|
|
Setting a value here is not typically required. If left unset the
|
|
Operator will make requests using the GET method. In the case where
|
|
Params are specified the Operator will use the PUT method. Please
|
|
consult https://developer.hashicorp.com/vault/docs/secrets if you
|
|
are uncertain about what method to use. Of note, the Vault client
|
|
treats PUT and POST as being equivalent. The underlying Vault client
|
|
implementation will always use the PUT method.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
- PUT
|
|
type: string
|
|
revoke:
|
|
description: Revoke the existing lease on VDS resource deletion.
|
|
type: boolean
|
|
rolloutRestartTargets:
|
|
description: RolloutRestartTargets should be configured whenever the
|
|
application(s) consuming the Vault secret does not support dynamically
|
|
reloading a rotated secret. In that case one, or more RolloutRestartTarget(s)
|
|
can be configured here. The Operator will trigger a "rollout-restart"
|
|
for each target whenever the Vault secret changes between reconciliation
|
|
events. See RolloutRestartTarget for more details.
|
|
items:
|
|
description: "RolloutRestartTarget provides the configuration required
|
|
to perform a rollout-restart of the supported resources upon Vault
|
|
Secret rotation. The rollout-restart is triggered by patching
|
|
the target resource's 'spec.template.metadata.annotations' to
|
|
include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp
|
|
value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt:
|
|
\"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet,
|
|
StatefulSet"
|
|
properties:
|
|
kind:
|
|
enum:
|
|
- Deployment
|
|
- DaemonSet
|
|
- StatefulSet
|
|
type: string
|
|
name:
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
vaultAuthRef:
|
|
description: 'VaultAuthRef to the VaultAuth resource, can be prefixed
|
|
with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace
|
|
prefix is provided it will default to namespace of the VaultAuth
|
|
CR. If no value is specified for VaultAuthRef the Operator will
|
|
default to the `default` VaultAuth, configured in its own Kubernetes
|
|
namespace.'
|
|
type: string
|
|
required:
|
|
- destination
|
|
- mount
|
|
- path
|
|
type: object
|
|
status:
|
|
description: VaultDynamicSecretStatus defines the observed state of VaultDynamicSecret
|
|
properties:
|
|
lastGeneration:
|
|
description: LastGeneration is the Generation of the last reconciled
|
|
resource.
|
|
format: int64
|
|
type: integer
|
|
lastRenewalTime:
|
|
description: LastRenewalTime of the last successful secret lease renewal.
|
|
format: int64
|
|
type: integer
|
|
lastRuntimePodUID:
|
|
description: LastRuntimePodUID used for tracking the transition from
|
|
one Pod to the next. It is used to mitigate the effects of a Vault
|
|
lease renewal storm.
|
|
type: string
|
|
secretLease:
|
|
description: SecretLease for the Vault secret.
|
|
properties:
|
|
duration:
|
|
description: LeaseDuration of the Vault secret.
|
|
type: integer
|
|
id:
|
|
description: ID of the Vault secret.
|
|
type: string
|
|
renewable:
|
|
description: Renewable Vault secret lease
|
|
type: boolean
|
|
requestID:
|
|
description: RequestID of the Vault secret request.
|
|
type: string
|
|
required:
|
|
- duration
|
|
- id
|
|
- renewable
|
|
- requestID
|
|
type: object
|
|
secretMAC:
|
|
description: "SecretMAC used when deciding whether new Vault secret
|
|
data should be synced. \n The controller will compare the \"new\"
|
|
Vault secret data to this value using HMAC, if they are different,
|
|
then the data will be synced to the Destination. \n The SecretMac
|
|
is also used to detect drift in the Destination Secret's Data. If
|
|
drift is detected the data will be synced to the Destination. SecretMAC
|
|
will only be stored when VaultDynamicSecretSpec.AllowStaticCreds
|
|
is true."
|
|
type: string
|
|
staticCredsMetaData:
|
|
description: StaticCredsMetaData contains the static creds response
|
|
meta-data
|
|
properties:
|
|
lastVaultRotation:
|
|
description: LastVaultRotation represents the last time Vault
|
|
rotated the password
|
|
format: int64
|
|
type: integer
|
|
rotationPeriod:
|
|
description: RotationPeriod is number in seconds between each
|
|
rotation, effectively a "time to live". This value is compared
|
|
to the LastVaultRotation to determine if a password needs to
|
|
be rotated
|
|
format: int64
|
|
type: integer
|
|
rotationSchedule:
|
|
description: RotationSchedule is a "cron style" string representing
|
|
the allowed schedule for each rotation. e.g. "1 0 * * *" would
|
|
rotate at one minute past midnight (00:01) every day.
|
|
type: string
|
|
ttl:
|
|
description: TTL is the seconds remaining before the next rotation.
|
|
format: int64
|
|
type: integer
|
|
required:
|
|
- lastVaultRotation
|
|
- rotationPeriod
|
|
- rotationSchedule
|
|
- ttl
|
|
type: object
|
|
required:
|
|
- lastGeneration
|
|
- lastRenewalTime
|
|
- secretLease
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|