Remove insecureSkipTLSVerify from Unsealer (#159)

kubevault · Jan 2, 2019 · 98ca423 · 98ca423
1 parent d29c556
commit 98ca423
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 54 deletions.
diff --git a/api/crds/vaultserver.yaml b/api/crds/vaultserver.yaml
@@ -4397,27 +4397,23 @@ spec:
               description: TLSPolicy defines the TLS policy of the vault nodes If
                 this is not set, operator will auto-gen TLS assets and secrets.
               properties:
+                caBundle:
+                  description: CABundle is a PEM encoded CA bundle which will be used
+                    to validate the serving certificate.
+                  format: byte
+                  type: string
                 tlsSecret:
                   description: "TLSSecret is the secret containing TLS certs used
                     by each vault node for the communication between the vault server
-                    and its clients. The secret should contain three files:\n\t- ca.crt\n\t-
-                    server.crt\n\t- server.key\n\nThe server certificate must allow
-                    the following wildcard domains:\n\t- localhost\n\t- *.<namespace>.pod\n\t-
-                    <vaultServer-name>.<namespace>.svc"
+                    and its clients. The secret should contain three files:\n\t- tls.crt\n\t-
+                    tls.key\n\nThe server certificate must allow the following wildcard
+                    domains:\n\t- localhost\n\t- *.<namespace>.pod\n\t- <vaultServer-name>.<namespace>.svc"
                   type: string
               required:
               - tlsSecret
             unsealer:
               description: UnsealerSpec contain the configuration for auto vault initialize/unseal
               properties:
-                caBundle:
-                  description: CABundle is a PEM encoded CA bundle which will be used
-                    to validate the serving certificate.
-                  format: byte
-                  type: string
-                insecureSkipTLSVerify:
-                  description: InsecureSkipTLSVerify disables TLS certificate verification
-                  type: boolean
                 mode:
                   description: ModeSpec contain unseal mechanism
                   properties:

diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
@@ -6572,24 +6572,20 @@
         "tlsSecret"
       ],
       "properties": {
+        "caBundle": {
+          "description": "CABundle is a PEM encoded CA bundle which will be used to validate the serving certificate.",
+          "type": "string",
+          "format": "byte"
+        },
         "tlsSecret": {
-          "description": "TLSSecret is the secret containing TLS certs used by each vault node for the communication between the vault server and its clients. The secret should contain three files:\n\t- ca.crt\n\t- server.crt\n\t- server.key\n\nThe server certificate must allow the following wildcard domains:\n\t- localhost\n\t- *.\u003cnamespace\u003e.pod\n\t- \u003cvaultServer-name\u003e.\u003cnamespace\u003e.svc",
+          "description": "TLSSecret is the secret containing TLS certs used by each vault node for the communication between the vault server and its clients. The secret should contain three files:\n\t- tls.crt\n\t- tls.key\n\nThe server certificate must allow the following wildcard domains:\n\t- localhost\n\t- *.\u003cnamespace\u003e.pod\n\t- \u003cvaultServer-name\u003e.\u003cnamespace\u003e.svc",
           "type": "string"
         }
       }
     },
     "com.github.kubevault.operator.apis.kubevault.v1alpha1.UnsealerSpec": {
       "description": "UnsealerSpec contain the configuration for auto vault initialize/unseal",
       "properties": {
-        "caBundle": {
-          "description": "CABundle is a PEM encoded CA bundle which will be used to validate the serving certificate.",
-          "type": "string",
-          "format": "byte"
-        },
-        "insecureSkipTLSVerify": {
-          "description": "InsecureSkipTLSVerify disables TLS certificate verification",
-          "type": "boolean"
-        },
         "mode": {
           "description": "mode contains unseal mechanism",
           "$ref": "#/definitions/com.github.kubevault.operator.apis.kubevault.v1alpha1.ModeSpec"

diff --git a/apis/kubevault/v1alpha1/openapi_generated.go b/apis/kubevault/v1alpha1/openapi_generated.go
diff --git a/apis/kubevault/v1alpha1/vaultserver_types.go b/apis/kubevault/v1alpha1/vaultserver_types.go
@@ -184,15 +184,18 @@ type TLSPolicy struct {
 	// TLSSecret is the secret containing TLS certs used by each vault node
 	// for the communication between the vault server and its clients.
 	// The secret should contain three files:
-	//	- ca.crt
-	// 	- server.crt
-	// 	- server.key
+	// 	- tls.crt
+	// 	- tls.key
 	//
 	// The server certificate must allow the following wildcard domains:
 	// 	- localhost
 	// 	- *.<namespace>.pod
 	// 	- <vaultServer-name>.<namespace>.svc
 	TLSSecret string `json:"tlsSecret"`
+
+	// CABundle is a PEM encoded CA bundle which will be used to validate the serving certificate.
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
 }
 
 // TODO : set defaults and validation
@@ -545,14 +548,6 @@ type UnsealerSpec struct {
 	// +optional
 	OverwriteExisting bool `json:"overwriteExisting,omitempty"`
 
-	// InsecureSkipTLSVerify disables TLS certificate verification
-	// +optional
-	InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`
-
-	// CABundle is a PEM encoded CA bundle which will be used to validate the serving certificate.
-	// +optional
-	CABundle []byte `json:"caBundle,omitempty"`
-
 	// should the root token be stored in the key store (default true)
 	// +optional
 	StoreRootToken bool `json:"storeRootToken,omitempty"`

diff --git a/apis/kubevault/v1alpha1/zz_generated.deepcopy.go b/apis/kubevault/v1alpha1/zz_generated.deepcopy.go