-
Notifications
You must be signed in to change notification settings - Fork 86
/
secrets.hashicorp.com_vaultauths.yaml
405 lines (392 loc) · 19.3 KB
/
secrets.hashicorp.com_vaultauths.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: vaultauths.secrets.hashicorp.com
spec:
group: secrets.hashicorp.com
names:
kind: VaultAuth
listKind: VaultAuthList
plural: vaultauths
singular: vaultauth
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: VaultAuth is the Schema for the vaultauths API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: VaultAuthSpec defines the desired state of VaultAuth
properties:
allowedNamespaces:
description: |-
AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod.
This field allows administrators to customize which Kubernetes namespaces are authorized to
use with this AuthMethod. While Vault will still enforce its own rules, this has the added
configurability of restricting which VaultAuthMethods can be used by which namespaces.
Accepted values:
[]{"*"} - wildcard, all namespaces.
[]{"a", "b"} - list of namespaces.
unset - disallow all namespaces except the Operator's the VaultAuthMethod's namespace, this
is the default behavior.
items:
type: string
type: array
appRole:
description: AppRole specific auth configuration, requires that the
Method be set to `appRole`.
properties:
roleId:
description: RoleID of the AppRole Role to use for authenticating
to Vault.
type: string
secretRef:
description: |-
SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the
AppRole Role's secretID.
type: string
type: object
aws:
description: AWS specific auth configuration, requires that Method
be set to `aws`.
properties:
headerValue:
description: The Vault header value to include in the STS signing
request
type: string
iamEndpoint:
description: The IAM endpoint to use; if not set will use the
default
type: string
irsaServiceAccount:
description: |-
IRSAServiceAccount name to use with IAM Roles for Service Accounts
(IRSA), and should be annotated with "eks.amazonaws.com/role-arn". This
ServiceAccount will be checked for other EKS annotations:
eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration
type: string
region:
description: AWS Region to use for signing the authentication
request
type: string
role:
description: Vault role to use for authenticating
type: string
secretRef:
description: |-
SecretRef is the name of a Kubernetes Secret in the consumer's (VDS/VSS/PKI) namespace
which holds credentials for AWS. Expected keys include `access_key_id`, `secret_access_key`,
`session_token`
type: string
sessionName:
description: The role session name to use when creating a webidentity
provider
type: string
stsEndpoint:
description: The STS endpoint to use; if not set will use the
default
type: string
type: object
gcp:
description: GCP specific auth configuration, requires that Method
be set to `gcp`.
properties:
clusterName:
description: |-
GKE cluster name. Defaults to the cluster-name returned from the operator
pod's local metadata server.
type: string
projectID:
description: |-
GCP project ID. Defaults to the project-id returned from the operator
pod's local metadata server.
type: string
region:
description: |-
GCP Region of the GKE cluster's identity provider. Defaults to the region
returned from the operator pod's local metadata server.
type: string
role:
description: Vault role to use for authenticating
type: string
workloadIdentityServiceAccount:
description: |-
WorkloadIdentityServiceAccount is the name of a Kubernetes service
account (in the same Kubernetes namespace as the Vault*Secret referencing
this resource) which has been configured for workload identity in GKE.
Should be annotated with "iam.gke.io/gcp-service-account".
type: string
type: object
headers:
additionalProperties:
type: string
description: Headers to be included in all Vault requests.
type: object
jwt:
description: JWT specific auth configuration, requires that the Method
be set to `jwt`.
properties:
audiences:
description: TokenAudiences to include in the ServiceAccount token.
items:
type: string
type: array
role:
description: Role to use for authenticating to Vault.
type: string
secretRef:
description: |-
SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must
have a key named `jwt` which holds the JWT token.
type: string
serviceAccount:
description: |-
ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's
JWT authentication backend.
type: string
tokenExpirationSeconds:
default: 600
description: TokenExpirationSeconds to set the ServiceAccount
token.
format: int64
minimum: 600
type: integer
type: object
kubernetes:
description: Kubernetes specific auth configuration, requires that
the Method be set to `kubernetes`.
properties:
audiences:
description: TokenAudiences to include in the ServiceAccount token.
items:
type: string
type: array
role:
description: Role to use for authenticating to Vault.
type: string
serviceAccount:
description: |-
ServiceAccount to use when authenticating to Vault's
authentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace.
type: string
tokenExpirationSeconds:
default: 600
description: TokenExpirationSeconds to set the ServiceAccount
token.
format: int64
minimum: 600
type: integer
type: object
method:
description: Method to use when authenticating to Vault.
enum:
- kubernetes
- jwt
- appRole
- aws
- gcp
type: string
mount:
description: Mount to use when authenticating to auth method.
type: string
namespace:
description: Namespace to auth to in Vault
type: string
params:
additionalProperties:
type: string
description: Params to use when authenticating to Vault
type: object
storageEncryption:
description: |-
StorageEncryption provides the necessary configuration to encrypt the client storage cache.
This should only be configured when client cache persistence with encryption is enabled.
This is done by passing setting the manager's commandline argument
--client-cache-persistence-model=direct-encrypted. Typically, there should only ever
be one VaultAuth configured with StorageEncryption in the Cluster, and it should have
the label: cacheStorageEncryption=true
properties:
keyName:
description: KeyName to use for encrypt/decrypt operations via
Vault Transit.
type: string
mount:
description: Mount path of the Transit engine in Vault.
type: string
required:
- keyName
- mount
type: object
vaultAuthGlobalRef:
description: VaultAuthGlobalRef.
properties:
mergeStrategy:
description: |-
MergeStrategy configures the merge strategy for HTTP headers and parameters
that are included in all Vault authentication requests.
properties:
headers:
description: |-
Headers configures the merge strategy for HTTP headers that are included in
all Vault requests. Choices are `union`, `replace`, or `none`.
If `union` is set, the headers from the VaultAuthGlobal and VaultAuth
resources are merged. The headers from the VaultAuth always take precedence.
If `replace` is set, the first set of non-empty headers taken in order from:
VaultAuth, VaultAuthGlobal auth method, VaultGlobal default headers.
If `none` is set, the headers from the
VaultAuthGlobal resource are ignored and only the headers from the VaultAuth
resource are used. The default is `none`.
enum:
- union
- replace
- none
type: string
params:
description: |-
Params configures the merge strategy for HTTP parameters that are included in
all Vault requests. Choices are `union`, `replace`, or `none`.
If `union` is set, the parameters from the VaultAuthGlobal and VaultAuth
resources are merged. The parameters from the VaultAuth always take
precedence.
If `replace` is set, the first set of non-empty parameters taken in order from:
VaultAuth, VaultAuthGlobal auth method, VaultGlobal default parameters.
If `none` is set, the parameters from the VaultAuthGlobal resource are ignored
and only the parameters from the VaultAuth resource are used. The default is
`none`.
enum:
- union
- replace
- none
type: string
type: object
name:
description: Name of the VaultAuthGlobal resource.
pattern: ^([a-z0-9.-]{1,253})$
type: string
namespace:
description: |-
Namespace of the VaultAuthGlobal resource. If not provided, the namespace of
the referring VaultAuth resource is used.
pattern: ^([a-z0-9.-]{1,253})$
type: string
required:
- name
type: object
vaultConnectionRef:
description: |-
VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace,
eg: `namespaceA/vaultConnectionRefB`. If no namespace prefix is provided it will default to
namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the
Operator will default to the `default` VaultConnection, configured in the operator's namespace.
type: string
type: object
status:
description: VaultAuthStatus defines the observed state of VaultAuth
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
error:
type: string
specHash:
type: string
valid:
description: Valid auth mechanism.
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}