CertAuthEngineRole

redhatcop.redhat.io / v1alpha1

apiVersion: redhatcop.redhat.io/v1alpha1 kind: CertAuthEngineRole metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

CertAuthEngineRoleSpec defines the desired state of CertAuthEngineRole

allowedCommonNames []string

Constrain the Common Names in the client certificate with a globbed pattern. Value is a comma-separated list of patterns. Authentication requires at least one Name matching at least one pattern. If not set, defaults to allowing all names.

allowedDNSSANs []string

Constrain the Alternative Names in the client certificate with a globbed pattern. Value is a comma-separated list of patterns. Authentication requires at least one DNS matching at least one pattern. If not set, defaults to allowing all dns.

allowedEmailSANs []string

Constrain the Alternative Names in the client certificate with a globbed pattern. Value is a comma-separated list of patterns. Authentication requires at least one Email matching at least one pattern. If not set, defaults to allowing all emails.

allowedMetadataExtensions []string

A comma separated string or array of oid extensions. Upon successful authentication, these extensions will be added as metadata if they are present in the certificate. The metadata key will be the string consisting of the oid numbers separated by a dash (-) instead of a dot (.) to allow usage in ACL templates.

allowedOrganizationalUnits []string

Constrain the Organizational Units (OU) in the client certificate with a globbed pattern. Value is a comma-separated list of OU patterns. Authentication requires at least one OU matching at least one pattern. If not set, defaults to allowing all OUs.

allowedURISANs []string

Constrain the Alternative Names in the client certificate with a globbed pattern. Value is a comma-separated list of URI patterns. Authentication requires at least one URI matching at least one pattern. If not set, defaults to allowing all URIs.

authentication object

Authentication is the kube auth configuration to be used to execute this request

namespace string

Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.

path string

Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}

pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

role string

Role the role to be used during authentication

serviceAccount object

ServiceAccount is the service account used for the kube auth authentication

name string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

certificate string

The PEM-format CA certificate.

connection object

Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.

address string

Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/

maxRetries integer

MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).

tLSConfig object

cacert string

Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.

skipVerify boolean

SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.

tlsSecret object

TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", key -> "tls.key"

name string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

tlsServerName string

TLSServerName Name to use as the SNI host when connecting via TLS.

timeOut string

Timeout Timeout variable. The default value is 60s.

displayName string

The display_name to set on tokens issued when authenticating against this CA certificate. If not set, defaults to the name of the role.

name string

The name of the object created in Vault. If this is specified it takes precedence over {metatada.name}

pattern: [a-z0-9]([-a-z0-9]*[a-z0-9])?

ocspCACertificates string

Any additional OCSP responder certificates needed to verify OCSP responses. Provided as base64 encoded PEM data.

ocspEnabled boolean

If enabled, validate certificates' revocation status using OCSP.

ocspFailOpen boolean

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked.

ocspMaxRetries integer

The number of retries attempted before giving up on an OCSP request. 0 will disable retries.

format: int64

ocspQueryAllServers boolean

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.

ocspServersOverride []string

A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.

ocspThisUpdateMaxAge string

If greater than 0, specifies the maximum age of an OCSP thisUpdate field. This avoids accepting old responses without a nextUpdate field.

path string

Path at which to make the configuration. The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/certs/{metadata.name}. The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.

pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

requiredExtensions []string

Require specific Custom Extension OIDs to exist and match the pattern. Value is a comma separated string or array of oid:value. Expects the extension value to be some type of ASN1 encoded string. All conditions must be met. To match on the hex-encoded value of the extension, including non-string extensions, use the format hex:<oid>:<value>. Supports globbing on value.

tokenBoundCIDRs []string

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

tokenExplicitMaxTTL string

If set, will encode an explicit max TTL onto the token. This is a hard cap even if tokenTTL and tokenMaxTTL would otherwise allow a renewal.

tokenMaxTTL string

The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.

tokenNoDefaultPolicy boolean

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in tokenPolicies.

tokenNumUses integer

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. If you require the token to have the ability to create child tokens, you will need to set this value to 0.

format: int64

tokenPeriod string

The maximum allowed period value when a periodic token is requested from this role.

tokenPolicies []string

List of token policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

tokenTTL string

The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.

tokenType string

The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. For machine based authentication cases, you should use batch type tokens.

status object

CertAuthEngineRoleStatus defines the observed state of CertAuthEngineRole

conditions []object

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

No matches. Try .spec.allowedCommonNames for an exact path