-
Notifications
You must be signed in to change notification settings - Fork 2
/
sshrole_types.go
127 lines (90 loc) · 11.1 KB
/
sshrole_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// SSHRoleParameters define the params to submit
type SSHRoleParameters struct {
// Key (string: "") – Specifies the name of the registered key in Vault. Before creating the role, use the keys/ endpoint to create a named key. This is required for "Dynamic Key" type.
Key string `json:"key" yaml:"key" vault:"key,omitempty"`
// AdminUser admin_user (string: "") – Specifies the admin user at remote host. The shared key being registered should be for this user and should have root or sudo privileges. Every time a dynamic credential is generated for a client, Vault uses this admin username to login to remote host and install the generated credential. This is required for Dynamic Key type.
AdminUser string `json:"adminUser" yaml:"adminUser" vault:"admin_user,omitempty"`
// DefaultUser default_user (string: "") – Specifies the default username for which a credential will be generated. When the endpoint creds/ is used without a username, this value will be used as default username. Its recommended to create individual roles for each username to ensure absolute isolation between usernames. This is required for Dynamic Key type and OTP type.
// For the CA type, if you wish this to be a valid principal, it must also be in allowed_users.
DefaultUser string `json:"defaultUser" yaml:"defaultUser" vault:"default_user,omitempty"`
// CIDRListcidr_list (string: "") – Specifies a comma separated list of CIDR blocks for which the role is applicable for. It is possible that a same set of CIDR blocks are part of multiple roles. This is a required parameter, unless the role is registered under the /config/zeroaddress endpoint.
CIDRList string `json:"cidrList" yaml:"cidrList" vault:"cidr_list,omitempty"`
// ExcludeCIDRList exclude_cidr_list (string: "") – Specifies a comma-separated list of CIDR blocks. IP addresses belonging to these blocks are not accepted by the role. This is particularly useful when big CIDR blocks are being used by the role and certain parts need to be kept out.
ExcludeCIDRList string `json:"excludeCIDRList" yaml:"excludeCIDRList" vault:"exclude_cidr_list,omitempty"`
// Port port (int: 22) – Specifies the port number for SSH connection. Port number does not play any role in OTP generation. For the otp secrets engine type, this is just a way to inform the client about the port number to use. The port number will be returned to the client by Vault along with the OTP.
Port int `json:"port" yaml:"port" vault:"port,omitempty"`
// KeyType key_type (string: <required>) – Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
KeyType string `json:"keyType" yaml:"keyType" vault:"key_type,omitempty"`
// KeyBits key_bits (int: 1024) – Specifies the length of the RSA dynamic key in bits. This can be either 1024 or 2048.
KeyBits int `json:"keyBits" yaml:"keyBits" vault:"key_bits,omitempty"`
// install_script (string: "") – Specifies the script used to install and uninstall public keys in the target machine. Defaults to the built-in script.
InstallScript string `json:"installScript" yaml:"installScript" vault:"install_scripts,omitempty"`
// AllowedUsers allowed_users (string: "") – If this option is not specified, or if it is *, the client can request a credential for any valid user at the remote host, including the admin user. If only certain usernames are to be allowed, then this list enforces it. If this field is set, then credentials can only be created for default_user and usernames present in this list. Setting this option will enable all the users with access this role to fetch credentials for all other usernames in this list. Use with caution. N.B.: if the type is ca, an empty list does not allow any user; instead you must use * to enable this behavior.
AllowedUsers string `json:"allowedUsers" yaml:"allowedUsers" vault:"allowed_users,omitempty"`
// AllowedUsersTemplate allowed_users_template (bool: false) - If set, allowed_users can be specified using identity template policies. Non-templated users are also permitted.
AllowedUsersTemplate bool `json:"allowedUsersTemplate" yaml:"allowedUsersTemplate" vault:"allowed_users_template,omitempty"`
// AllowedDomains allowed_domains (string: "") – The list of domains for which a client can request a host certificate. If this option is explicitly set to "*", then credentials can be created for any domain. See also allow_bare_domains and allow_subdomains.
AllowedDomains string `json:"allowedDomains" yaml:"allowedDomains" vault:"allowed_domains,omitempty"`
// KeyOptionSpecs key_option_specs (string: "") – Specifies a comma separated option specification which will be prefixed to RSA keys in the remote host's authorized_keys file. N.B.: Vault does not check this string for validity.
KeyOptionSpecs string `json:"keyOptionSpecs" yaml:"keyOptionSpecs" vault:"key_option_specs,omitempty"`
// TTL ttl (string: "") – Specifies the Time To Live value provided as a string duration with time suffix. Hour is the largest suffix. If not set, uses the system default value or the value of max_ttl, whichever is shorter.
TTL string `json:"ttl" yaml:"ttl" vault:"ttl,omitempty"`
// MaxTTL max_ttl (string: "") – Specifies the maximum Time To Live provided as a string duration with time suffix. Hour is the largest suffix. If not set, defaults to the system maximum lease TTL.
MaxTTL string `json:"maxTTL" yaml:"maxTTL" vault:"max_ttl,omitempty"`
// AllowedCriticalOptions allowed_critical_options (string: "") – Specifies a comma-separated list of critical options that certificates can have when signed. To allow any critical options, set this to an empty string. Will default to allowing any critical options.
AllowedCriticalOptions string `json:"allowedCriticalOptions" yaml:"allowedCriticalOptions" vault:"allowed_critical_options,omitempty"`
// AllowedExtensions allowed_extensions (string: "") – Specifies a comma-separated list of extensions that certificates can have when signed. To allow any extensions, set this to an empty string. Will default to allowing any extensions. For the list of extensions, take a look at the sshd manual's AUTHORIZED_KEYS FILE FORMAT section. You should add a permit- before the name of extension to allow it.
AllowedExtensions string `json:"allowedExtensions" yaml:"allowedExtensions" vault:"allowed_extensions,omitempty"`
// DefaultCriticalOptions default_critical_options (map<string|string>: "") – Specifies a map of critical options certificates should have if none are provided when signing. This field takes in key value pairs in JSON format. Note that these are not restricted by allowed_critical_options. Defaults to none.
DefaultCriticalOptions map[string]string `json:"defaultCriticalOptions" yaml:"defaultCriticalOptions" vault:"default_critical_options,omitempty"`
// DefaultExtensions default_extensions (map<string|string>: "") – Specifies a map of extensions certificates should have if none are provided when signing. This field takes in key value pairs in JSON format. Note that these are not restricted by allowed_extensions. Defaults to none.
DefaultExtensions map[string]string `json:"defaultExtensions" yaml:"defaultExtensions" vault:"default_extensions,omitempty"`
// AllowUserCertificates allow_user_certificates (bool: false) – Specifies if certificates are allowed to be signed for use as a 'user'.
AllowUserCertificates bool `json:"allowUserCertificates" yaml:"allowUserCertificates" vault:"allow_user_certificates,omitempty"`
// AllowHostCertificates allow_host_certificates (bool: false) – Specifies if certificates are allowed to be signed for use as a 'host'.
AllowHostCertificates bool `json:"allowHostCertificates" yaml:"allowHostCertificates" vault:"allow_host_certificates,omitempty"`
// AllowBareDomains allow_bare_domains (bool: false) – Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains, e.g. "example.com". This is a separate option as in some cases this can be considered a security threat.
AllowBareDomains bool `json:"allowBareDomains" yaml:"allowBareDomains" vault:"allow_bare_domains,omitempty"`
// AllowSubdomains allow_subdomains (bool: false) – Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains, e.g. if "example.com" is part of allowed_domains, this allows "foo.example.com".
AllowSubdomains bool `json:"allowSubdomains" yaml:"allowSubdomains" vault:"allow_subdomains,omitempty"`
// TokenDisplayName allow_user_key_ids (bool: false) – Specifies if users can override the key ID for a signed certificate with the "key_id" field. When false, the key ID will always be the token display name. The key ID is logged by the SSH server and can be useful for auditing.
TokenDisplayName bool `json:"tokenDisplayName" yaml:"tokenDisplayName" vault:"tokenDisplayName,omitempty"`
// KeyIDFormat key_id_format (string: "" KeyIDFormat) – When supplied, KeyIDFormatthis value specifies KeyIDFormat a custom format for the key id of a signed certificate. The following variables are available for use: '{{token_display_name}}' - The display name of the token used to make the request. '{{role_name}}' - The name of the role signing the request. '{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed. e.g. "custom-keyid-{{token_display_name}}"
KeyIDFormat string `json:"keyIDFormat" yaml:"keyIDFormat" vault:"key_id_format,omitempty"`
// AllowedUserKey allowed_user_key_lengths (map<string|int>: "") – Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.
AllowedUserKey map[string]int `json:"allowedUserKey" yaml:"allowedUserKey" vault:"allowed_user_key,omitempty"`
// AlgorithmSigner algorithm_signer (string: "ssh-rsa") - Algorithm to sign keys with. Valid values are ssh-rsa, rsa-sha2-256, and rsa-sha2-512. Note that ssh-rsa is now considered insecure and is not supported by current OpenSSH versions. Defaults to ssh-rsa for backwards compatibility.
AlgorithmSigner string `json:"algorithmSigner" yaml:"algorithmSigner" vault:"algorithm_signer,omitempty"`
}
// SSHRoleSpec defines the desired state of SSHRole
type SSHRoleSpec struct {
SignerPath string `json:"signerPath" yaml:"signerPath"`
RoleName string `json:"roleName" yaml:"roleName"`
VaultNamespace string `json:"vaultNamespace" yaml:"vaultNamespace"`
Parameters SSHRoleParameters `json:"parameters" yaml:"parameters"`
}
// SSHRoleStatus defines the observed state of SSHRole
type SSHRoleStatus struct {
}
// +kubebuilder:object:root=true
// SSHRole is the Schema for the sshroles API
type SSHRole struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec SSHRoleSpec `json:"spec,omitempty"`
Status SSHRoleStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// SSHRoleList contains a list of SSHRole
type SSHRoleList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []SSHRole `json:"items"`
}
func init() {
SchemeBuilder.Register(&SSHRole{}, &SSHRoleList{})
}