Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
AppRole support (#266)
Signed-off-by: Konstantin <konrasko@gmail.com>
  • Loading branch information
kotyara85 committed Jan 24, 2021
1 parent 31984d4 commit 217e254
Show file tree
Hide file tree
Showing 11 changed files with 1,549 additions and 131 deletions.
8 changes: 4 additions & 4 deletions api/crds/bindata.go

Large diffs are not rendered by default.

98 changes: 98 additions & 0 deletions api/crds/policy.kubevault.com_vaultpolicybindings.v1.yaml
Expand Up @@ -66,6 +66,101 @@ spec:
description: SubjectRef refers to Vault users who will be granted
policies.
properties:
appRole:
description: 'More info: https://www.vaultproject.io/docs/auth/approle#configuration'
properties:
bindSecretID:
description: Require secret_id to be presented when logging
in using this AppRole.
type: boolean
enableLocalSecretIds:
description: If set, the secret IDs generated using this role
will be cluster local. This can only be set during role
creation and once set, it can't be reset later.
type: boolean
path:
description: 'Specifies the path where approle auth is enabled
default : approle'
type: string
roleName:
description: 'RoleName is the Name of the AppRole This defaults
to following format: k8s.${cluster}.${metadata.namespace}.${metadata.name}'
type: string
secretIdBoundCidrs:
description: List of CIDR blocks; if set, specifies blocks
of IP addresses which can perform the login operation.
items:
type: string
type: array
secretIdNumUses:
description: Number of times any particular SecretID can be
used to fetch a token from this AppRole, after which the
SecretID will expire. A value of zero will allow unlimited
uses.
format: int64
type: integer
secretIdTTL:
description: Duration in either an integer number of seconds
(3600) or an integer time unit (60m) after which any SecretID
expires.
type: string
tokenBoundCidrs:
description: List of CIDR blocks; if set, specifies blocks
of IP addresses which can authenticate successfully, and
ties the resulting token to these blocks as well.
items:
type: string
type: array
tokenExplicitMaxTTL:
description: If set, will encode an explicit max TTL onto
the token. This is a hard cap even if token_ttl and token_max_ttl
would otherwise allow a renewal.
format: int64
type: integer
tokenMaxTTL:
description: The maximum lifetime for generated tokens. This
current value of this will be referenced at renewal time.
format: int64
type: integer
tokenNoDefaultPolicy:
description: If set, the default policy will not be set on
generated tokens; otherwise it will be added to the policies
set in token_policies.
type: boolean
tokenNumUses:
description: The maximum number of times a generated token
may be used (within its lifetime); 0 means unlimited.
format: int64
type: integer
tokenPeriod:
description: The period, if any, to set on the token.
format: int64
type: integer
tokenPolicies:
description: List of policies to encode onto generated tokens.
Depending on the auth method, this list may be supplemented
by user/group/other values.
items:
type: string
type: array
tokenTTL:
description: The incremental lifetime for generated tokens.
This current value of this will be referenced at renewal
time.
format: int64
type: integer
tokenType:
description: 'The type of token that should be generated.
Can be service, batch, or default to use the mount''s tuned
default (which unless changed will be service tokens). For
token store roles, there are two additional possibilities:
default-service and default-batch which specify the type
to return unless the client requests a different type at
generation time.'
type: string
required:
- bindSecretID
type: object
kubernetes:
description: 'Kubernetes refers to Vault users who are authenticated
via Kubernetes auth method More info: https://www.vaultproject.io/docs/auth/kubernetes.html#configuration'
Expand All @@ -74,6 +169,9 @@ spec:
description: Specifies the maximum allowed lifetime of tokens
issued in seconds using this role.
type: string
name:
description: Name of the role
type: string
path:
description: 'Specifies the path where kubernetes auth is
enabled default : kubernetes'
Expand Down
95 changes: 95 additions & 0 deletions api/crds/policy.kubevault.com_vaultpolicybindings.yaml
Expand Up @@ -64,6 +64,98 @@ spec:
subjectRef:
description: SubjectRef refers to Vault users who will be granted policies.
properties:
appRole:
description: 'More info: https://www.vaultproject.io/docs/auth/approle#configuration'
properties:
bindSecretID:
description: Require secret_id to be presented when logging
in using this AppRole.
type: boolean
enableLocalSecretIds:
description: If set, the secret IDs generated using this role
will be cluster local. This can only be set during role creation
and once set, it can't be reset later.
type: boolean
path:
description: 'Specifies the path where approle auth is enabled
default : approle'
type: string
roleName:
description: 'RoleName is the Name of the AppRole This defaults
to following format: k8s.${cluster}.${metadata.namespace}.${metadata.name}'
type: string
secretIdBoundCidrs:
description: List of CIDR blocks; if set, specifies blocks of
IP addresses which can perform the login operation.
items:
type: string
type: array
secretIdNumUses:
description: Number of times any particular SecretID can be
used to fetch a token from this AppRole, after which the SecretID
will expire. A value of zero will allow unlimited uses.
format: int64
type: integer
secretIdTTL:
description: Duration in either an integer number of seconds
(3600) or an integer time unit (60m) after which any SecretID
expires.
type: string
tokenBoundCidrs:
description: List of CIDR blocks; if set, specifies blocks of
IP addresses which can authenticate successfully, and ties
the resulting token to these blocks as well.
items:
type: string
type: array
tokenExplicitMaxTTL:
description: If set, will encode an explicit max TTL onto the
token. This is a hard cap even if token_ttl and token_max_ttl
would otherwise allow a renewal.
format: int64
type: integer
tokenMaxTTL:
description: The maximum lifetime for generated tokens. This
current value of this will be referenced at renewal time.
format: int64
type: integer
tokenNoDefaultPolicy:
description: If set, the default policy will not be set on generated
tokens; otherwise it will be added to the policies set in
token_policies.
type: boolean
tokenNumUses:
description: The maximum number of times a generated token may
be used (within its lifetime); 0 means unlimited.
format: int64
type: integer
tokenPeriod:
description: The period, if any, to set on the token.
format: int64
type: integer
tokenPolicies:
description: List of policies to encode onto generated tokens.
Depending on the auth method, this list may be supplemented
by user/group/other values.
items:
type: string
type: array
tokenTTL:
description: The incremental lifetime for generated tokens.
This current value of this will be referenced at renewal time.
format: int64
type: integer
tokenType:
description: 'The type of token that should be generated. Can
be service, batch, or default to use the mount''s tuned default
(which unless changed will be service tokens). For token store
roles, there are two additional possibilities: default-service
and default-batch which specify the type to return unless
the client requests a different type at generation time.'
type: string
required:
- bindSecretID
type: object
kubernetes:
description: 'Kubernetes refers to Vault users who are authenticated
via Kubernetes auth method More info: https://www.vaultproject.io/docs/auth/kubernetes.html#configuration'
Expand All @@ -72,6 +164,9 @@ spec:
description: Specifies the maximum allowed lifetime of tokens
issued in seconds using this role.
type: string
name:
description: Name of the role
type: string
path:
description: 'Specifies the path where kubernetes auth is enabled
default : kubernetes'
Expand Down
96 changes: 96 additions & 0 deletions api/openapi-spec/swagger.json
Expand Up @@ -17580,6 +17580,94 @@
}
}
},
"dev.kubevault.operator.apis.policy.v1alpha1.AppRoleSubjectRef": {
"description": "More info: https://www.vaultproject.io/api-docs/auth/approle#create-update-approle",
"type": "object",
"required": [
"bindSecretID"
],
"properties": {
"bindSecretID": {
"description": "Require secret_id to be presented when logging in using this AppRole.",
"type": "boolean"
},
"enableLocalSecretIds": {
"description": "If set, the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later.",
"type": "boolean"
},
"path": {
"description": "Specifies the path where approle auth is enabled default : approle",
"type": "string"
},
"roleName": {
"description": "RoleName is the Name of the AppRole This defaults to following format: k8s.${cluster}.${metadata.namespace}.${metadata.name}",
"type": "string"
},
"secretIdBoundCidrs": {
"description": "List of CIDR blocks; if set, specifies blocks of IP addresses which can perform the login operation.",
"type": "array",
"items": {
"type": "string"
}
},
"secretIdNumUses": {
"description": "Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses.",
"type": "integer",
"format": "int64"
},
"secretIdTTL": {
"description": "Duration in either an integer number of seconds (3600) or an integer time unit (60m) after which any SecretID expires.",
"type": "string"
},
"tokenBoundCidrs": {
"description": "List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.",
"type": "array",
"items": {
"type": "string"
}
},
"tokenExplicitMaxTTL": {
"description": "If set, will encode an explicit max TTL onto the token. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.",
"type": "integer",
"format": "int64"
},
"tokenMaxTTL": {
"description": "The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.",
"type": "integer",
"format": "int64"
},
"tokenNoDefaultPolicy": {
"description": "If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.",
"type": "boolean"
},
"tokenNumUses": {
"description": "The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.",
"type": "integer",
"format": "int64"
},
"tokenPeriod": {
"description": "The period, if any, to set on the token.",
"type": "integer",
"format": "int64"
},
"tokenPolicies": {
"description": "List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.",
"type": "array",
"items": {
"type": "string"
}
},
"tokenTTL": {
"description": "The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.",
"type": "integer",
"format": "int64"
},
"tokenType": {
"description": "The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.",
"type": "string"
}
}
},
"dev.kubevault.operator.apis.policy.v1alpha1.KubernetesSubjectRef": {
"description": "More info: https://www.vaultproject.io/api/auth/kubernetes/index.html#create-role",
"type": "object",
Expand All @@ -17592,6 +17680,10 @@
"description": "Specifies the maximum allowed lifetime of tokens issued in seconds using this role.",
"type": "string"
},
"name": {
"description": "Name of the role",
"type": "string"
},
"path": {
"description": "Specifies the path where kubernetes auth is enabled default : kubernetes",
"type": "string"
Expand Down Expand Up @@ -17636,6 +17728,10 @@
"dev.kubevault.operator.apis.policy.v1alpha1.SubjectRef": {
"type": "object",
"properties": {
"appRole": {
"description": "More info: https://www.vaultproject.io/docs/auth/approle#configuration",
"$ref": "#/definitions/dev.kubevault.operator.apis.policy.v1alpha1.AppRoleSubjectRef"
},
"kubernetes": {
"description": "Kubernetes refers to Vault users who are authenticated via Kubernetes auth method More info: https://www.vaultproject.io/docs/auth/kubernetes.html#configuration",
"$ref": "#/definitions/dev.kubevault.operator.apis.policy.v1alpha1.KubernetesSubjectRef"
Expand Down

0 comments on commit 217e254

Please sign in to comment.