Vault
API Reference
Packages
secrets.hashicorp.com/v1beta1
Package v1beta1 contains API Schema definitions for the secrets v1beta1 API group
Resource Types
- HCPAuth
- HCPAuthList
- HCPVaultSecretsApp
- HCPVaultSecretsAppList
- SecretTransformation
- SecretTransformationList
- VaultAuth
- VaultAuthGlobal
- VaultAuthGlobalList
- VaultAuthList
- VaultConnection
- VaultConnectionList
- VaultDynamicSecret
- VaultDynamicSecretList
- VaultPKISecret
- VaultPKISecretList
- VaultStaticSecret
- VaultStaticSecretList
Destination
Destination provides the configuration that will be applied to the destination Kubernetes Secret during a Vault Secret -> K8s Secret sync.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
name string | Name of the Secret | ||
create boolean | Create the destination Secret. If the Secret already exists this should be set to false. | false | |
overwrite boolean | Overwrite the destination Secret if it exists and Create is true. This is useful when migrating to VSO from a previous secret deployment strategy. | false | |
labels object (keys:string, values:string) | Labels to apply to the Secret. Requires Create to be set to true. | ||
annotations object (keys:string, values:string) | Annotations to apply to the Secret. Requires Create to be set to true. | ||
type SecretType | Type of Kubernetes Secret. Requires Create to be set to true. Defaults to Opaque. | ||
transformation Transformation | Transformation provides configuration for transforming the secret data before it is stored in the Destination. |
HCPAuth
HCPAuth is the Schema for the hcpauths API
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | HCPAuth | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
spec HCPAuthSpec |
HCPAuthList
HCPAuthList contains a list of HCPAuth
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | HCPAuthList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
items HCPAuth array |
HCPAuthServicePrincipal
HCPAuthServicePrincipal provides HCPAuth configuration options needed for authenticating to HCP using a service principal configured in SecretRef.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
secretRef string | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI/HCP) namespace which provides the HCP ServicePrincipal clientID, and clientSecret. The secret data must have the following structure { "clientID": "clientID", "clientSecret": "clientSecret", } |
HCPAuthSpec
HCPAuthSpec defines the desired state of HCPAuth
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
organizationID string | OrganizationID of the HCP organization. | ||
projectID string | ProjectID of the HCP project. | ||
allowedNamespaces string array | AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod. This field allows administrators to customize which Kubernetes namespaces are authorized to use with this AuthMethod. While Vault will still enforce its own rules, this has the added configurability of restricting which HCPAuthMethods can be used by which namespaces. Accepted values: []{"*"} - wildcard, all namespaces. []{"a", "b"} - list of namespaces. unset - disallow all namespaces except the Operator's the HCPAuthMethod's namespace, this is the default behavior. | ||
method string | Method to use when authenticating to Vault. | servicePrincipal | Enum: [servicePrincipal] |
servicePrincipal HCPAuthServicePrincipal | ServicePrincipal provides the necessary configuration for authenticating to HCP using a service principal. For security reasons, only project-level service principals should ever be used. |
HCPVaultSecretsApp
HCPVaultSecretsApp is the Schema for the hcpvaultsecretsapps API
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | HCPVaultSecretsApp | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
spec HCPVaultSecretsAppSpec |
HCPVaultSecretsAppList
HCPVaultSecretsAppList contains a list of HCPVaultSecretsApp
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | HCPVaultSecretsAppList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
items HCPVaultSecretsApp array |
HCPVaultSecretsAppSpec
HCPVaultSecretsAppSpec defines the desired state of HCPVaultSecretsApp
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
appName string | AppName of the Vault Secrets Application that is to be synced. | ||
hcpAuthRef string | HCPAuthRef to the HCPAuth resource, can be prefixed with a namespace, eg:namespaceA/vaultAuthRefB . If no namespace prefix is provided it will defaultto the namespace of the HCPAuth CR. If no value is specified for HCPAuthRef the Operator will default to the default HCPAuth, configured in the operator'snamespace. | ||
refreshAfter string | RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h | 600s | Pattern: `^([0-9]+(.[0-9]+)?(s |
rolloutRestartTargets RolloutRestartTarget array | RolloutRestartTargets should be configured whenever the application(s) consuming the HCP Vault Secrets App does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. See RolloutRestartTarget for more details. | ||
destination Destination | Destination provides configuration necessary for syncing the HCP Vault Application secrets to Kubernetes. | ||
syncConfig HVSSyncConfig | SyncConfig configures sync behavior from HVS to VSO |
HVSDynamicStatus
HVSDynamicStatus defines the observed state of a dynamic secret within an HCP Vault Secrets App
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
name string | Name of the dynamic secret | ||
createdAt string | CreatedAt is the timestamp string of when the dynamic secret was created | ||
expiresAt string | ExpiresAt is the timestamp string of when the dynamic secret will expire | ||
ttl string | TTL is the time-to-live of the dynamic secret in seconds |
HVSDynamicSyncConfig
HVSDynamicSyncConfig configures sync behavior for HVS dynamic secrets.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
renewalPercent integer | RenewalPercent is the percent out of 100 of a dynamic secret's TTL when new secrets are generated. Defaults to 67 percent plus up to 10% jitter. | 67 | Maximum: 90 Minimum: 0 |
HVSSyncConfig
HVSSyncConfig configures sync behavior from HVS to VSO
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
dynamic HVSDynamicSyncConfig | Dynamic configures sync behavior for dynamic secrets. |
MergeStrategy
MergeStrategy provides the configuration for merging HTTP headers and parameters from the referring VaultAuth resource and its VaultAuthGlobal resource.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
headers string | Headers configures the merge strategy for HTTP headers that are included in all Vault requests. Choices are union , replace , or none .If union is set, the headers from the VaultAuthGlobal and VaultAuthresources are merged. The headers from the VaultAuth always take precedence. If replace is set, the first set of non-empty headers taken in order from:VaultAuth, VaultAuthGlobal auth method, VaultGlobal default headers. If none is set, the headers from theVaultAuthGlobal resource are ignored and only the headers from the VaultAuth resource are used. The default is none . | Enum: [union replace none] | |
params string | Params configures the merge strategy for HTTP parameters that are included in all Vault requests. Choices are union , replace , or none .If union is set, the parameters from the VaultAuthGlobal and VaultAuthresources are merged. The parameters from the VaultAuth always take precedence. If replace is set, the first set of non-empty parameters taken in order from:VaultAuth, VaultAuthGlobal auth method, VaultGlobal default parameters. If none is set, the parameters from the VaultAuthGlobal resource are ignoredand only the parameters from the VaultAuth resource are used. The default is none . | Enum: [union replace none] |
RolloutRestartTarget
RolloutRestartTarget provides the configuration required to perform a rollout-restart of the supported resources upon Vault Secret rotation. The rollout-restart is triggered by patching the target resource's 'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
kind string | Kind of the resource | Enum: [Deployment DaemonSet StatefulSet argo.Rollout] | |
name string | Name of the resource |
SecretTransformation
SecretTransformation is the Schema for the secrettransformations API
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | SecretTransformation | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
spec SecretTransformationSpec |
SecretTransformationList
SecretTransformationList contains a list of SecretTransformation
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | SecretTransformationList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
items SecretTransformation array |
SecretTransformationSpec
SecretTransformationSpec defines the desired state of SecretTransformation
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
templates object (keys:string, values:Template) | Templates maps a template name to its Template. Templates are always included in the rendered K8s Secret with the specified key. | ||
sourceTemplates SourceTemplate array | SourceTemplates are never included in the rendered K8s Secret, they can be used to provide common template definitions, etc. | ||
includes string array | Includes contains regex patterns used to filter top-level source secret data fields for inclusion in the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied last. | ||
excludes string array | Excludes contains regex patterns used to filter top-level source secret data fields for exclusion from the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied before any inclusion patterns. To exclude all source secret data fields, you can configure the single pattern ".*". |
SourceTemplate
SourceTemplate provides source templating configuration.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
name string | |||
text string | Text contains the Go text template format. The template references attributes from the data structure of the source secret. Refer to https://pkg.go.dev/text/template for more information. |
StorageEncryption
StorageEncryption provides the necessary configuration need to encrypt the storage cache entries using Vault's Transit engine.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
mount string | Mount path of the Transit engine in Vault. | ||
keyName string | KeyName to use for encrypt/decrypt operations via Vault Transit. |
SyncConfig
SyncConfig configures sync behavior from Vault to VSO
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
instantUpdates boolean | InstantUpdates is a flag to indicate that event-driven updates are enabled for this VaultStaticSecret |
Template
Template provides templating configuration.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
name string | Name of the Template | ||
text string | Text contains the Go text template format. The template references attributes from the data structure of the source secret. Refer to https://pkg.go.dev/text/template for more information. |
TemplateRef
TemplateRef points to templating text that is stored in a SecretTransformation custom resource.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
name string | Name of the Template in SecretTransformationSpec.Templates. the rendered secret data. | ||
keyOverride string | KeyOverride to the rendered template in the Destination secret. If Key is empty, then the Key from reference spec will be used. Set this to override the Key set from the reference spec. |
Transformation
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
templates object (keys:string, values:Template) | Templates maps a template name to its Template. Templates are always included in the rendered K8s Secret, and take precedence over templates defined in a SecretTransformation. | ||
transformationRefs TransformationRef array | TransformationRefs contain references to template configuration from SecretTransformation. | ||
includes string array | Includes contains regex patterns used to filter top-level source secret data fields for inclusion in the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied last. | ||
excludes string array | Excludes contains regex patterns used to filter top-level source secret data fields for exclusion from the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied before any inclusion patterns. To exclude all source secret data fields, you can configure the single pattern ".*". | ||
excludeRaw boolean | ExcludeRaw data from the destination Secret. Exclusion policy can be set globally by including 'exclude-raw` in the '--global-transformation-options' command line flag. If set, the command line flag always takes precedence over this configuration. |
TransformationRef
TransformationRef contains the configuration for accessing templates from an SecretTransformation resource. TransformationRefs can be shared across all syncable secret custom resources.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
namespace string | Namespace of the SecretTransformation resource. | ||
name string | Name of the SecretTransformation resource. | ||
templateRefs TemplateRef array | TemplateRefs map to a Template found in this TransformationRef. If empty, then all templates from the SecretTransformation will be rendered to the K8s Secret. | ||
ignoreIncludes boolean | IgnoreIncludes controls whether to use the SecretTransformation's Includes data key filters. | ||
ignoreExcludes boolean | IgnoreExcludes controls whether to use the SecretTransformation's Excludes data key filters. |
VaultAuth
VaultAuth is the Schema for the vaultauths API
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultAuth | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
spec VaultAuthSpec |
VaultAuthConfigAWS
VaultAuthConfigAWS provides VaultAuth configuration options needed for
authenticating to Vault via an AWS AuthMethod. Will use creds from
SecretRef
or IRSAServiceAccount
if provided, in that order. If neither
are provided, the underlying node role or instance profile will be used to
authenticate to Vault.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
role string | Vault role to use for authenticating | ||
region string | AWS Region to use for signing the authentication request | ||
headerValue string | The Vault header value to include in the STS signing request | ||
sessionName string | The role session name to use when creating a webidentity provider | ||
stsEndpoint string | The STS endpoint to use; if not set will use the default | ||
iamEndpoint string | The IAM endpoint to use; if not set will use the default | ||
secretRef string | SecretRef is the name of a Kubernetes Secret in the consumer's (VDS/VSS/PKI) namespace which holds credentials for AWS. Expected keys include access_key_id , secret_access_key ,session_token | ||
irsaServiceAccount string | IRSAServiceAccount name to use with IAM Roles for Service Accounts (IRSA), and should be annotated with "eks.amazonaws.com/role-arn". This ServiceAccount will be checked for other EKS annotations: eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration |
VaultAuthConfigAppRole
VaultAuthConfigAppRole provides VaultAuth configuration options needed for authenticating to Vault via an AppRole AuthMethod.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
roleId string | RoleID of the AppRole Role to use for authenticating to Vault. | ||
secretRef string | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the AppRole Role's SecretID. The secret must have a key named id which holds theAppRole Role's secretID. |
VaultAuthConfigGCP
VaultAuthConfigGCP provides VaultAuth configuration options needed for authenticating to Vault via a GCP AuthMethod, using workload identity
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
role string | Vault role to use for authenticating | ||
workloadIdentityServiceAccount string | WorkloadIdentityServiceAccount is the name of a Kubernetes service account (in the same Kubernetes namespace as the Vault*Secret referencing this resource) which has been configured for workload identity in GKE. Should be annotated with "iam.gke.io/gcp-service-account". | ||
region string | GCP Region of the GKE cluster's identity provider. Defaults to the region returned from the operator pod's local metadata server. | ||
clusterName string | GKE cluster name. Defaults to the cluster-name returned from the operator pod's local metadata server. | ||
projectID string | GCP project ID. Defaults to the project-id returned from the operator pod's local metadata server. |
VaultAuthConfigJWT
VaultAuthConfigJWT provides VaultAuth configuration options needed for authenticating to Vault.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
role string | Role to use for authenticating to Vault. | ||
secretRef string | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must have a key named jwt which holds the JWT token. | ||
serviceAccount string | ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's JWT authentication backend. | ||
audiences string array | TokenAudiences to include in the ServiceAccount token. | ||
tokenExpirationSeconds integer | TokenExpirationSeconds to set the ServiceAccount token. | 600 | Minimum: 600 |
VaultAuthConfigKubernetes
VaultAuthConfigKubernetes provides VaultAuth configuration options needed for authenticating to Vault.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
role string | Role to use for authenticating to Vault. | ||
serviceAccount string | ServiceAccount to use when authenticating to Vault's authentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace. | ||
audiences string array | TokenAudiences to include in the ServiceAccount token. | ||
tokenExpirationSeconds integer | TokenExpirationSeconds to set the ServiceAccount token. | 600 | Minimum: 600 |
VaultAuthGlobal
VaultAuthGlobal is the Schema for the vaultauthglobals API
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultAuthGlobal | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
spec VaultAuthGlobalSpec |
VaultAuthGlobalConfigAWS
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
role string | Vault role to use for authenticating | ||
region string | AWS Region to use for signing the authentication request | ||
headerValue string | The Vault header value to include in the STS signing request | ||
sessionName string | The role session name to use when creating a webidentity provider | ||
stsEndpoint string | The STS endpoint to use; if not set will use the default | ||
iamEndpoint string | The IAM endpoint to use; if not set will use the default | ||
secretRef string | SecretRef is the name of a Kubernetes Secret in the consumer's (VDS/VSS/PKI) namespace which holds credentials for AWS. Expected keys include access_key_id , secret_access_key ,session_token | ||
irsaServiceAccount string | IRSAServiceAccount name to use with IAM Roles for Service Accounts (IRSA), and should be annotated with "eks.amazonaws.com/role-arn". This ServiceAccount will be checked for other EKS annotations: eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration | ||
namespace string | Namespace to auth to in Vault | ||
mount string | Mount to use when authenticating to auth method. | ||
params object (keys:string, values:string) | Params to use when authenticating to Vault | ||
headers object (keys:string, values:string) | Headers to be included in all Vault requests. |
VaultAuthGlobalConfigAppRole
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
roleId string | RoleID of the AppRole Role to use for authenticating to Vault. | ||
secretRef string | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the AppRole Role's SecretID. The secret must have a key named id which holds theAppRole Role's secretID. | ||
namespace string | Namespace to auth to in Vault | ||
mount string | Mount to use when authenticating to auth method. | ||
params object (keys:string, values:string) | Params to use when authenticating to Vault | ||
headers object (keys:string, values:string) | Headers to be included in all Vault requests. |
VaultAuthGlobalConfigGCP
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
role string | Vault role to use for authenticating | ||
workloadIdentityServiceAccount string | WorkloadIdentityServiceAccount is the name of a Kubernetes service account (in the same Kubernetes namespace as the Vault*Secret referencing this resource) which has been configured for workload identity in GKE. Should be annotated with "iam.gke.io/gcp-service-account". | ||
region string | GCP Region of the GKE cluster's identity provider. Defaults to the region returned from the operator pod's local metadata server. | ||
clusterName string | GKE cluster name. Defaults to the cluster-name returned from the operator pod's local metadata server. | ||
projectID string | GCP project ID. Defaults to the project-id returned from the operator pod's local metadata server. | ||
namespace string | Namespace to auth to in Vault | ||
mount string | Mount to use when authenticating to auth method. | ||
params object (keys:string, values:string) | Params to use when authenticating to Vault | ||
headers object (keys:string, values:string) | Headers to be included in all Vault requests. |
VaultAuthGlobalConfigJWT
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
role string | Role to use for authenticating to Vault. | ||
secretRef string | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must have a key named jwt which holds the JWT token. | ||
serviceAccount string | ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's JWT authentication backend. | ||
audiences string array | TokenAudiences to include in the ServiceAccount token. | ||
tokenExpirationSeconds integer | TokenExpirationSeconds to set the ServiceAccount token. | 600 | Minimum: 600 |
namespace string | Namespace to auth to in Vault | ||
mount string | Mount to use when authenticating to auth method. | ||
params object (keys:string, values:string) | Params to use when authenticating to Vault | ||
headers object (keys:string, values:string) | Headers to be included in all Vault requests. |
VaultAuthGlobalConfigKubernetes
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
role string | Role to use for authenticating to Vault. | ||
serviceAccount string | ServiceAccount to use when authenticating to Vault's authentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace. | ||
audiences string array | TokenAudiences to include in the ServiceAccount token. | ||
tokenExpirationSeconds integer | TokenExpirationSeconds to set the ServiceAccount token. | 600 | Minimum: 600 |
namespace string | Namespace to auth to in Vault | ||
mount string | Mount to use when authenticating to auth method. | ||
params object (keys:string, values:string) | Params to use when authenticating to Vault | ||
headers object (keys:string, values:string) | Headers to be included in all Vault requests. |
VaultAuthGlobalList
VaultAuthGlobalList contains a list of VaultAuthGlobal
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultAuthGlobalList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
items VaultAuthGlobal array |
VaultAuthGlobalRef
VaultAuthGlobalRef is a reference to a VaultAuthGlobal resource. A referring VaultAuth resource can use the VaultAuthGlobal resource to share common configuration across multiple VaultAuth resources. The VaultAuthGlobal resource is used to store global configuration for VaultAuth resources.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
name string | Name of the VaultAuthGlobal resource. | Pattern: ^([a-z0-9.-]{1,253})$ | |
namespace string | Namespace of the VaultAuthGlobal resource. If not provided, the namespace of the referring VaultAuth resource is used. | Pattern: ^([a-z0-9.-]{1,253})$ | |
mergeStrategy MergeStrategy | MergeStrategy configures the merge strategy for HTTP headers and parameters that are included in all Vault authentication requests. | ||
allowDefault boolean | AllowDefault when set to true will use the default VaultAuthGlobal resource as the default if Name is not set. The 'allow-default-globals' option must be set on the operator's '-global-vault-auth-options' flag The default VaultAuthGlobal search is conditional. When a ref Namespace is set, the search for the default VaultAuthGlobal resource is constrained to that namespace. Otherwise, the search order is: 1. The default VaultAuthGlobal resource in the referring VaultAuth resource's namespace. 2. The default VaultAuthGlobal resource in the Operator's namespace. |
VaultAuthGlobalSpec
VaultAuthGlobalSpec defines the desired state of VaultAuthGlobal
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
allowedNamespaces string array | AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this VaultAuthGlobal. This field allows administrators to customize which Kubernetes namespaces are authorized to reference this resource. While Vault will still enforce its own rules, this has the added configurability of restricting which VaultAuthMethods can be used by which namespaces. Accepted values: []{"*"} - wildcard, all namespaces. []{"a", "b"} - list of namespaces. unset - disallow all namespaces except the Operator's and the referring VaultAuthMethod's namespace, this is the default behavior. | ||
vaultConnectionRef string | VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace, eg: namespaceA/vaultConnectionRefB . If no namespace prefix is provided it will default tothe namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the Operator will default to the default VaultConnection, configured in the operator's namespace. | ||
defaultVaultNamespace string | DefaultVaultNamespace to auth to in Vault, if not specified the namespace of the auth method will be used. This can be used as a default Vault namespace for all auth methods. | ||
defaultAuthMethod string | DefaultAuthMethod to use when authenticating to Vault. | Enum: [kubernetes jwt appRole aws gcp] | |
defaultMount string | DefaultMount to use when authenticating to auth method. If not specified the mount of the auth method configured in Vault will be used. | ||
params object (keys:string, values:string) | DefaultParams to use when authenticating to Vault | ||
headers object (keys:string, values:string) | DefaultHeaders to be included in all Vault requests. | ||
kubernetes VaultAuthGlobalConfigKubernetes | Kubernetes specific auth configuration, requires that the Method be set to kubernetes . | ||
appRole VaultAuthGlobalConfigAppRole | AppRole specific auth configuration, requires that the Method be set to appRole . | ||
jwt VaultAuthGlobalConfigJWT | JWT specific auth configuration, requires that the Method be set to jwt . | ||
aws VaultAuthGlobalConfigAWS | AWS specific auth configuration, requires that Method be set to aws . | ||
gcp VaultAuthGlobalConfigGCP | GCP specific auth configuration, requires that Method be set to gcp . |
VaultAuthList
VaultAuthList contains a list of VaultAuth
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultAuthList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
items VaultAuth array |
VaultAuthSpec
VaultAuthSpec defines the desired state of VaultAuth
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
vaultConnectionRef string | VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace, eg: namespaceA/vaultConnectionRefB . If no namespace prefix is provided it will default tothe namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the Operator will default to the default VaultConnection, configured in the operator's namespace. | ||
vaultAuthGlobalRef VaultAuthGlobalRef | VaultAuthGlobalRef. | ||
namespace string | Namespace to auth to in Vault | ||
allowedNamespaces string array | AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod. This field allows administrators to customize which Kubernetes namespaces are authorized to use with this AuthMethod. While Vault will still enforce its own rules, this has the added configurability of restricting which VaultAuthMethods can be used by which namespaces. Accepted values: []{"*"} - wildcard, all namespaces. []{"a", "b"} - list of namespaces. unset - disallow all namespaces except the Operator's the VaultAuthMethod's namespace, this is the default behavior. | ||
method string | Method to use when authenticating to Vault. | Enum: [kubernetes jwt appRole aws gcp] | |
mount string | Mount to use when authenticating to auth method. | ||
params object (keys:string, values:string) | Params to use when authenticating to Vault | ||
headers object (keys:string, values:string) | Headers to be included in all Vault requests. | ||
kubernetes VaultAuthConfigKubernetes | Kubernetes specific auth configuration, requires that the Method be set to kubernetes . | ||
appRole VaultAuthConfigAppRole | AppRole specific auth configuration, requires that the Method be set to appRole . | ||
jwt VaultAuthConfigJWT | JWT specific auth configuration, requires that the Method be set to jwt . | ||
aws VaultAuthConfigAWS | AWS specific auth configuration, requires that Method be set to aws . | ||
gcp VaultAuthConfigGCP | GCP specific auth configuration, requires that Method be set to gcp . | ||
storageEncryption StorageEncryption | StorageEncryption provides the necessary configuration to encrypt the client storage cache. This should only be configured when client cache persistence with encryption is enabled. This is done by passing setting the manager's commandline argument --client-cache-persistence-model=direct-encrypted. Typically, there should only ever be one VaultAuth configured with StorageEncryption in the Cluster, and it should have the label: cacheStorageEncryption=true |
VaultClientMeta
VaultClientMeta defines the observed state of the last Vault Client used to sync the secret. This status is used during resource reconciliation.
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
cacheKey string | CacheKey is the unique key used to identify the client cache. | ||
id string | ID is the Vault ID of the authenticated client. The ID should never contain any sensitive information. |
VaultConnection
VaultConnection is the Schema for the vaultconnections API
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultConnection | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
spec VaultConnectionSpec |
VaultConnectionList
VaultConnectionList contains a list of VaultConnection
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultConnectionList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
items VaultConnection array |
VaultConnectionSpec
VaultConnectionSpec defines the desired state of VaultConnection
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
address string | Address of the Vault server | ||
headers object (keys:string, values:string) | Headers to be included in all Vault requests. | ||
tlsServerName string | TLSServerName to use as the SNI host for TLS connections. | ||
caCertSecretRef string | CACertSecretRef is the name of a Kubernetes secret containing the trusted PEM encoded CA certificate chain as ca.crt . | ||
skipTLSVerify boolean | SkipTLSVerify for TLS connections. | false | |
timeout string | Timeout applied to all Vault requests for this connection. If not set, the default timeout from the Vault API client config is used. | Pattern: `^([0-9]+(.[0-9]+)?(s |
VaultDynamicSecret
VaultDynamicSecret is the Schema for the vaultdynamicsecrets API
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultDynamicSecret | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
spec VaultDynamicSecretSpec |
VaultDynamicSecretList
VaultDynamicSecretList contains a list of VaultDynamicSecret
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultDynamicSecretList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
items VaultDynamicSecret array |
VaultDynamicSecretSpec
VaultDynamicSecretSpec defines the desired state of VaultDynamicSecret
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
vaultAuthRef string | VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: namespaceA/vaultAuthRefB . If no namespace prefix is provided it will default tothe namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the default VaultAuth, configured in the operator's namespace. | ||
namespace string | Namespace of the secrets engine mount in Vault. If not set, the namespace that's part of VaultAuth resource will be inferred. | ||
mount string | Mount path of the secret's engine in Vault. | ||
requestHTTPMethod string | RequestHTTPMethod to use when syncing Secrets from Vault. Setting a value here is not typically required. If left unset the Operator will make requests using the GET method. In the case where Params are specified the Operator will use the PUT method. Please consult secrets if you are uncertain about what method to use. Of note, the Vault client treats PUT and POST as being equivalent. The underlying Vault client implementation will always use the PUT method. | Enum: [GET POST PUT] | |
path string | Path in Vault to get the credentials for, and is relative to Mount. Please consult secrets if you are uncertain about what 'path' should be set to. | ||
params object (keys:string, values:string) | Params that can be passed when requesting credentials/secrets. When Params is set the configured RequestHTTPMethod will be ignored. See RequestHTTPMethod for more details. Please consult secrets if you are uncertain about what 'params' should/can be set to. | ||
renewalPercent integer | RenewalPercent is the percent out of 100 of the lease duration when the lease is renewed. Defaults to 67 percent plus jitter. | 67 | Maximum: 90 Minimum: 0 |
revoke boolean | Revoke the existing lease on VDS resource deletion. | ||
allowStaticCreds boolean | AllowStaticCreds should be set when syncing credentials that are periodically rotated by the Vault server, rather than created upon request. These secrets are sometimes referred to as "static roles", or "static credentials", with a request path that contains "static-creds". | ||
rolloutRestartTargets RolloutRestartTarget array | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. See RolloutRestartTarget for more details. | ||
destination Destination | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. | ||
refreshAfter string | RefreshAfter a period of time for VSO to sync the source secret data, in duration notation e.g. 30s, 1m, 24h. This value only needs to be set when syncing from a secret's engine that does not provide a lease TTL in its response. The value should be within the secret engine's configured ttl or max_ttl. The source secret's lease duration takes precedence over this configuration when it is greater than 0. | Pattern: `^([0-9]+(.[0-9]+)?(s |
VaultPKISecret
VaultPKISecret is the Schema for the vaultpkisecrets API
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultPKISecret | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
spec VaultPKISecretSpec |
VaultPKISecretList
VaultPKISecretList contains a list of VaultPKISecret
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultPKISecretList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
items VaultPKISecret array |
VaultPKISecretSpec
VaultPKISecretSpec defines the desired state of VaultPKISecret
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
vaultAuthRef string | VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: namespaceA/vaultAuthRefB . If no namespace prefix is provided it will default tothe namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the default VaultAuth, configured in the operator's namespace. | ||
namespace string | Namespace of the secrets engine mount in Vault. If not set, the namespace that's part of VaultAuth resource will be inferred. | ||
mount string | Mount for the secret in Vault | ||
role string | Role in Vault to use when issuing TLS certificates. | ||
revoke boolean | Revoke the certificate when the resource is deleted. | ||
clear boolean | Clear the Kubernetes secret when the resource is deleted. | ||
expiryOffset string | ExpiryOffset to use for computing when the certificate should be renewed. The rotation time will be difference between the expiration and the offset. Should be in duration notation e.g. 30s, 120s, etc. | Pattern: `^([0-9]+(.[0-9]+)?(s | |
issuerRef string | IssuerRef reference to an existing PKI issuer, either by Vault-generated identifier, the literal string default to refer to the currently configured default issuer, or the name assigned to an issuer. This parameter is part of the request URL. | ||
rolloutRestartTargets RolloutRestartTarget array | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. See RolloutRestartTarget for more details. | ||
destination Destination | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. If the type is set to "kubernetes.io/tls", "tls.key" will be set to the "private_key" response from Vault, and "tls.crt" will be set to "certificate" + "ca_chain" from the Vault response ("issuing_ca" is used when "ca_chain" is empty). The "remove_roots_from_chain=true" option is used with Vault to exclude the root CA from the Vault response. | ||
commonName string | CommonName to include in the request. | ||
altNames string array | AltNames to include in the request May contain both DNS names and email addresses. | ||
ipSans string array | IPSans to include in the request. | ||
uriSans string array | The requested URI SANs. | ||
otherSans string array | Requested other SANs, in an array with the format oid;type:value for each entry. | ||
userIDs string array | User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the signed certificate. | ||
ttl string | TTL for the certificate; sets the expiration date. If not specified the Vault role's default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount's max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA. Should be in duration notation e.g. 120s, 2h, etc. | Pattern: `^([0-9]+(.[0-9]+)?(s | |
format string | Format for the certificate. Choices: "pem", "der", "pem_bundle". If "pem_bundle", any private key and issuing cert will be appended to the certificate pem. If "der", the value will be base64 encoded. Default: pem | ||
privateKeyFormat string | PrivateKeyFormat, generally the default will be controlled by the Format parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Default: der | ||
notAfter string | NotAfter field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ | ||
excludeCNFromSans boolean | ExcludeCNFromSans from DNS or Email Subject Alternate Names. Default: false |
VaultSecretLease
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
id string | ID of the Vault secret. | ||
duration integer | LeaseDuration of the Vault secret. | ||
renewable boolean | Renewable Vault secret lease | ||
requestID string | RequestID of the Vault secret request. |
VaultStaticCredsMetaData
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
lastVaultRotation integer | LastVaultRotation represents the last time Vault rotated the password | ||
rotationPeriod integer | RotationPeriod is number in seconds between each rotation, effectively a "time to live". This value is compared to the LastVaultRotation to determine if a password needs to be rotated | ||
rotationSchedule string | RotationSchedule is a "cron style" string representing the allowed schedule for each rotation. e.g. "1 0 * * *" would rotate at one minute past midnight (00:01) every day. | ||
ttl integer | TTL is the seconds remaining before the next rotation. |
VaultStaticSecret
VaultStaticSecret is the Schema for the vaultstaticsecrets API
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultStaticSecret | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
spec VaultStaticSecretSpec |
VaultStaticSecretList
VaultStaticSecretList contains a list of VaultStaticSecret
Field | Description | Default | Validation |
---|---|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 | ||
kind string | VaultStaticSecretList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . | ||
items VaultStaticSecret array |
VaultStaticSecretSpec
VaultStaticSecretSpec defines the desired state of VaultStaticSecret
Appears in:
Field | Description | Default | Validation |
---|---|---|---|
vaultAuthRef string | VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: namespaceA/vaultAuthRefB . If no namespace prefix is provided it will default to thenamespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the default VaultAuth, configured in the operator's namespace. | ||
namespace string | Namespace of the secrets engine mount in Vault. If not set, the namespace that's part of VaultAuth resource will be inferred. | ||
mount string | Mount for the secret in Vault | ||
path string | Path of the secret in Vault, corresponds to the path parameter for,kv-v1 kv-v2 | ||
version integer | Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter: version | Minimum: 0 | |
type string | Type of the Vault static secret | Enum: [kv-v1 kv-v2] | |
refreshAfter string | RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h | Pattern: `^([0-9]+(.[0-9]+)?(s | |
hmacSecretData boolean | HMACSecretData determines whether the Operator computes the HMAC of the Secret's data. The MAC value will be stored in the resource's Status.SecretMac field, and will be used for drift detection and during incoming Vault secret comparison. Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault. | true | |
rolloutRestartTargets RolloutRestartTarget array | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. All configured targets wil be ignored if HMACSecretData is set to false. See RolloutRestartTarget for more details. | ||
destination Destination | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. | ||
syncConfig SyncConfig | SyncConfig configures sync behavior from Vault to VSO |