-
-
Notifications
You must be signed in to change notification settings - Fork 812
/
secretstore_vault_types.go
328 lines (275 loc) · 13.5 KB
/
secretstore_vault_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)
type VaultKVStoreVersion string
const (
VaultKVStoreV1 VaultKVStoreVersion = "v1"
VaultKVStoreV2 VaultKVStoreVersion = "v2"
)
// Configures an store to sync secrets using a HashiCorp Vault
// KV backend.
type VaultProvider struct {
// Auth configures how secret-manager authenticates with the Vault server.
Auth VaultAuth `json:"auth"`
// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
Server string `json:"server"`
// Path is the mount path of the Vault KV backend endpoint, e.g:
// "secret". The v2 KV secret engine version specific "/data" path suffix
// for fetching secrets from Vault is optional and will be appended
// if not present in specified path.
// +optional
Path *string `json:"path"`
// Version is the Vault KV secret engine version. This can be either "v1" or
// "v2". Version defaults to "v2".
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Enum="v1";"v2"
// +kubebuilder:default:="v2"
Version VaultKVStoreVersion `json:"version"`
// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
// +optional
Namespace *string `json:"namespace,omitempty"`
// PEM encoded CA bundle used to validate Vault server certificate. Only used
// if the Server URL is using HTTPS protocol. This parameter is ignored for
// plain HTTP protocol connection. If not set the system root certificates
// are used to validate the TLS connection.
// +optional
CABundle []byte `json:"caBundle,omitempty"`
// The provider for the CA bundle to use to validate Vault server certificate.
// +optional
CAProvider *CAProvider `json:"caProvider,omitempty"`
// ReadYourWrites ensures isolated read-after-write semantics by
// providing discovered cluster replication states in each request.
// More information about eventual consistency in Vault can be found here
// https://www.vaultproject.io/docs/enterprise/consistency
// +optional
ReadYourWrites bool `json:"readYourWrites,omitempty"`
// ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
// leader instead of simply retrying within a loop. This can increase performance if
// the option is enabled serverside.
// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
// +optional
ForwardInconsistent bool `json:"forwardInconsistent,omitempty"`
}
// VaultAuth is the configuration used to authenticate with a Vault server.
// Only one of `tokenSecretRef`, `appRole`, `kubernetes`, `ldap`, `userPass`, `jwt` or `cert`
// can be specified.
type VaultAuth struct {
// TokenSecretRef authenticates with Vault by presenting a token.
// +optional
TokenSecretRef *esmeta.SecretKeySelector `json:"tokenSecretRef,omitempty"`
// AppRole authenticates with Vault using the App Role auth mechanism,
// with the role and secret stored in a Kubernetes Secret resource.
// +optional
AppRole *VaultAppRole `json:"appRole,omitempty"`
// Kubernetes authenticates with Vault by passing the ServiceAccount
// token stored in the named Secret resource to the Vault server.
// +optional
Kubernetes *VaultKubernetesAuth `json:"kubernetes,omitempty"`
// Ldap authenticates with Vault by passing username/password pair using
// the LDAP authentication method
// +optional
Ldap *VaultLdapAuth `json:"ldap,omitempty"`
// Jwt authenticates with Vault by passing role and JWT token using the
// JWT/OIDC authentication method
// +optional
Jwt *VaultJwtAuth `json:"jwt,omitempty"`
// Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
// Cert authentication method
// +optional
Cert *VaultCertAuth `json:"cert,omitempty"`
// Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
// AWS IAM authentication method
// +optional
Iam *VaultIamAuth `json:"iam,omitempty"`
// UserPass authenticates with Vault by passing username/password pair
// +optional
UserPass *VaultUserPassAuth `json:"userPass,omitempty"`
}
// VaultAppRole authenticates with Vault using the App Role auth mechanism,
// with the role and secret stored in a Kubernetes Secret resource.
type VaultAppRole struct {
// Path where the App Role authentication backend is mounted
// in Vault, e.g: "approle"
// +kubebuilder:default=approle
Path string `json:"path"`
// RoleID configured in the App Role authentication backend when setting
// up the authentication backend in Vault.
//+optional
RoleID string `json:"roleId,omitempty"`
// Reference to a key in a Secret that contains the App Role ID used
// to authenticate with Vault.
// The `key` field must be specified and denotes which entry within the Secret
// resource is used as the app role id.
//+optional
RoleRef *esmeta.SecretKeySelector `json:"roleRef,omitempty"`
// Reference to a key in a Secret that contains the App Role secret used
// to authenticate with Vault.
// The `key` field must be specified and denotes which entry within the Secret
// resource is used as the app role secret.
SecretRef esmeta.SecretKeySelector `json:"secretRef"`
}
// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
// a Secret.
type VaultKubernetesAuth struct {
// Path where the Kubernetes authentication backend is mounted in Vault, e.g:
// "kubernetes"
// +kubebuilder:default=kubernetes
Path string `json:"mountPath"`
// Optional service account field containing the name of a kubernetes ServiceAccount.
// If the service account is specified, the service account secret token JWT will be used
// for authenticating with Vault. If the service account selector is not supplied,
// the secretRef will be used instead.
// +optional
ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
// Optional secret field containing a Kubernetes ServiceAccount JWT used
// for authenticating with Vault. If a name is specified without a key,
// `token` is the default. If one is not specified, the one bound to
// the controller will be used.
// +optional
SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
// A required field containing the Vault Role to assume. A Role binds a
// Kubernetes ServiceAccount with a set of Vault policies.
Role string `json:"role"`
}
// VaultLdapAuth authenticates with Vault using the LDAP authentication method,
// with the username and password stored in a Kubernetes Secret resource.
type VaultLdapAuth struct {
// Path where the LDAP authentication backend is mounted
// in Vault, e.g: "ldap"
// +kubebuilder:default=ldap
Path string `json:"path"`
// Username is a LDAP user name used to authenticate using the LDAP Vault
// authentication method
Username string `json:"username"`
// SecretRef to a key in a Secret resource containing password for the LDAP
// user used to authenticate with Vault using the LDAP authentication
// method
SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
}
// VaultAwsAuth tells the controller how to do authentication with aws.
// Only one of secretRef or jwt can be specified.
// if none is specified the controller will try to load credentials from its own service account assuming it is IRSA enabled.
type VaultAwsAuth struct {
// +optional
SecretRef *VaultAwsAuthSecretRef `json:"secretRef,omitempty"`
// +optional
JWTAuth *VaultAwsJWTAuth `json:"jwt,omitempty"`
}
// VaultAWSAuthSecretRef holds secret references for AWS credentials
// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
type VaultAwsAuthSecretRef struct {
// The AccessKeyID is used for authentication
AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
// The SecretAccessKey is used for authentication
SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
// The SessionToken used for authentication
// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
// see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
// +Optional
SessionToken *esmeta.SecretKeySelector `json:"sessionTokenSecretRef,omitempty"`
}
// Authenticate against AWS using service account tokens.
type VaultAwsJWTAuth struct {
ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
}
// VaultKubernetesServiceAccountTokenAuth authenticates with Vault using a temporary
// Kubernetes service account token retrieved by the `TokenRequest` API.
type VaultKubernetesServiceAccountTokenAuth struct {
// Service account field containing the name of a kubernetes ServiceAccount.
ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
// Optional audiences field that will be used to request a temporary Kubernetes service
// account token for the service account referenced by `serviceAccountRef`.
// Defaults to a single audience `vault` it not specified.
// Deprecated: use serviceAccountRef.Audiences instead
// +optional
Audiences *[]string `json:"audiences,omitempty"`
// Optional expiration time in seconds that will be used to request a temporary
// Kubernetes service account token for the service account referenced by
// `serviceAccountRef`.
// Deprecated: this will be removed in the future.
// Defaults to 10 minutes.
// +optional
ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
}
// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
// method, with the role name and a token stored in a Kubernetes Secret resource or
// a Kubernetes service account token retrieved via `TokenRequest`.
type VaultJwtAuth struct {
// Path where the JWT authentication backend is mounted
// in Vault, e.g: "jwt"
// +kubebuilder:default=jwt
Path string `json:"path"`
// Role is a JWT role to authenticate using the JWT/OIDC Vault
// authentication method
// +optional
Role string `json:"role"`
// Optional SecretRef that refers to a key in a Secret resource containing JWT token to
// authenticate with Vault using the JWT/OIDC authentication method.
// +optional
SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
// Optional ServiceAccountToken specifies the Kubernetes service account for which to request
// a token for with the `TokenRequest` API.
// +optional
KubernetesServiceAccountToken *VaultKubernetesServiceAccountTokenAuth `json:"kubernetesServiceAccountToken,omitempty"`
}
// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
// method, with the role name and token stored in a Kubernetes Secret resource.
type VaultCertAuth struct {
// ClientCert is a certificate to authenticate using the Cert Vault
// authentication method
// +optional
ClientCert esmeta.SecretKeySelector `json:"clientCert,omitempty"`
// SecretRef to a key in a Secret resource containing client private key to
// authenticate with Vault using the Cert authentication method
SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
}
// VaultIamAuth authenticates with Vault using the Vault's AWS IAM authentication method. Refer: https://developer.hashicorp.com/vault/docs/auth/aws
type VaultIamAuth struct {
// Path where the AWS auth method is enabled in Vault, e.g: "aws"
Path string `json:"path,omitempty"`
// AWS region
Region string `json:"region,omitempty"`
// This is the AWS role to be assumed before talking to vault
AWSIAMRole string `json:"role,omitempty"`
// Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
Role string `json:"vaultRole"`
// AWS External ID set on assumed IAM roles
ExternalID string `json:"externalID,omitempty"`
// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
VaultAWSIAMServerID string `json:"vaultAwsIamServerID,omitempty"`
// Specify credentials in a Secret object
// +optional
SecretRef *VaultAwsAuthSecretRef `json:"secretRef,omitempty"`
// Specify a service account with IRSA enabled
// +optional
JWTAuth *VaultAwsJWTAuth `json:"jwt,omitempty"`
}
// VaultUserPassAuth authenticates with Vault using UserPass authentication method,
// with the username and password stored in a Kubernetes Secret resource.
type VaultUserPassAuth struct {
// Path where the UserPassword authentication backend is mounted
// in Vault, e.g: "user"
// +kubebuilder:default=user
Path string `json:"path"`
// Username is a user name used to authenticate using the UserPass Vault
// authentication method
Username string `json:"username"`
// SecretRef to a key in a Secret resource containing password for the
// user used to authenticate with Vault using the UserPass authentication
// method
SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
}