{ "description": "CertAuthEngineRole is the Schema for the certauthengineroles API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "CertAuthEngineRoleSpec defines the desired state of CertAuthEngineRole", "properties": { "allowedCommonNames": { "description": "Constrain the Common Names in the client certificate with a globbed pattern.\nValue is a comma-separated list of patterns.\nAuthentication requires at least one Name matching at least one pattern. If not set, defaults to allowing all names.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "allowedDNSSANs": { "description": "Constrain the Alternative Names in the client certificate with a globbed pattern.\nValue is a comma-separated list of patterns.\nAuthentication requires at least one DNS matching at least one pattern. If not set, defaults to allowing all dns.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "allowedEmailSANs": { "description": "Constrain the Alternative Names in the client certificate with a globbed pattern.\nValue is a comma-separated list of patterns.\nAuthentication requires at least one Email matching at least one pattern. If not set, defaults to allowing all emails.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "allowedMetadataExtensions": { "description": "A comma separated string or array of oid extensions.\nUpon successful authentication, these extensions will be added as metadata if they are present in the certificate.\nThe metadata key will be the string consisting of the oid numbers separated by a dash (-) instead of a dot (.) to allow usage in ACL templates.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "allowedOrganizationalUnits": { "description": "Constrain the Organizational Units (OU) in the client certificate with a globbed pattern.\nValue is a comma-separated list of OU patterns.\nAuthentication requires at least one OU matching at least one pattern. If not set, defaults to allowing all OUs.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "allowedURISANs": { "description": "Constrain the Alternative Names in the client certificate with a globbed pattern.\nValue is a comma-separated list of URI patterns.\nAuthentication requires at least one URI matching at least one pattern. If not set, defaults to allowing all URIs.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "authentication": { "additionalProperties": false, "description": "Authentication is the kube auth configuration to be used to execute this request", "properties": { "namespace": { "description": "Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.", "type": [ "string", "null" ] }, "path": { "default": "kubernetes", "description": "Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}", "pattern": "^(?:/?[\\w;:@\u0026=\\$-\\.\\+]*)+/?", "type": [ "string", "null" ] }, "role": { "description": "Role the role to be used during authentication", "type": [ "string", "null" ] }, "serviceAccount": { "additionalProperties": false, "default": { "name": "default" }, "description": "ServiceAccount is the service account used for the kube auth authentication", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" } }, "type": [ "object", "null" ] }, "certificate": { "description": "The PEM-format CA certificate.", "type": [ "string", "null" ] }, "connection": { "additionalProperties": false, "description": "Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.", "properties": { "address": { "description": "Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/", "type": [ "string", "null" ] }, "maxRetries": { "description": "MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).", "type": [ "integer", "null" ] }, "tLSConfig": { "additionalProperties": false, "properties": { "cacert": { "description": "Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.", "type": [ "string", "null" ] }, "skipVerify": { "description": "SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.", "type": [ "boolean", "null" ] }, "tlsSecret": { "additionalProperties": false, "description": "TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -\u003e \"ca.crt\", certificate -\u003e \"tls.crt\", key -\u003e \"tls.key\"", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" }, "tlsServerName": { "description": "TLSServerName Name to use as the SNI host when connecting via TLS.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "timeOut": { "description": "Timeout Timeout variable. The default value is 60s.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "displayName": { "description": "The display_name to set on tokens issued when authenticating against this CA certificate.\nIf not set, defaults to the name of the role.", "type": [ "string", "null" ] }, "name": { "description": "The name of the object created in Vault. If this is specified it takes precedence over {metatada.name}", "pattern": "[a-z0-9]([-a-z0-9]*[a-z0-9])?", "type": [ "string", "null" ] }, "ocspCACertificates": { "description": "Any additional OCSP responder certificates needed to verify OCSP responses.\nProvided as base64 encoded PEM data.", "type": [ "string", "null" ] }, "ocspEnabled": { "default": false, "description": "If enabled, validate certificates' revocation status using OCSP.", "type": [ "boolean", "null" ] }, "ocspFailOpen": { "default": false, "description": "If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked.", "type": [ "boolean", "null" ] }, "ocspMaxRetries": { "default": 4, "description": "The number of retries attempted before giving up on an OCSP request. 0 will disable retries.", "format": "int64", "type": [ "integer", "null" ] }, "ocspQueryAllServers": { "default": false, "description": "If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.", "type": [ "boolean", "null" ] }, "ocspServersOverride": { "description": "A comma-separated list of OCSP server addresses.\nIf unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "ocspThisUpdateMaxAge": { "description": "If greater than 0, specifies the maximum age of an OCSP thisUpdate field.\nThis avoids accepting old responses without a nextUpdate field.", "type": [ "string", "null" ] }, "path": { "description": "Path at which to make the configuration.\nThe final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/certs/{metadata.name}.\nThe authentication role must have the following capabilities = [ \"create\", \"read\", \"update\", \"delete\"] on that path.", "pattern": "^(?:/?[\\w;:@\u0026=\\$-\\.\\+]*)+/?", "type": [ "string", "null" ] }, "requiredExtensions": { "description": "Require specific Custom Extension OIDs to exist and match the pattern.\nValue is a comma separated string or array of oid:value.\nExpects the extension value to be some type of ASN1 encoded string. All conditions must be met.\nTo match on the hex-encoded value of the extension, including non-string extensions, use the format hex:\u003coid\u003e:\u003cvalue\u003e.\nSupports globbing on value.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "tokenBoundCIDRs": { "description": "List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "tokenExplicitMaxTTL": { "description": "If set, will encode an explicit max TTL onto the token.\nThis is a hard cap even if tokenTTL and tokenMaxTTL would otherwise allow a renewal.", "type": [ "string", "null" ] }, "tokenMaxTTL": { "description": "The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.", "type": [ "string", "null" ] }, "tokenNoDefaultPolicy": { "default": false, "description": "If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in tokenPolicies.", "type": [ "boolean", "null" ] }, "tokenNumUses": { "default": 0, "description": "The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.\nIf you require the token to have the ability to create child tokens, you will need to set this value to 0.", "format": "int64", "type": [ "integer", "null" ] }, "tokenPeriod": { "description": "The maximum allowed period value when a periodic token is requested from this role.", "type": [ "string", "null" ] }, "tokenPolicies": { "description": "List of token policies to encode onto generated tokens.\nDepending on the auth method, this list may be supplemented by user/group/other values.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "tokenTTL": { "description": "The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.", "type": [ "string", "null" ] }, "tokenType": { "description": "The type of token that should be generated.\nCan be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens).\nFor token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.\nFor machine based authentication cases, you should use batch type tokens.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "status": { "additionalProperties": false, "description": "CertAuthEngineRoleStatus defines the observed state of CertAuthEngineRole", "properties": { "conditions": { "items": { "additionalProperties": false, "description": "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": [ "integer", "null" ] }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object" }, "type": [ "array", "null" ], "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" } }, "type": [ "object", "null" ] } }, "type": "object" }