DatabaseSecretEngineStaticRole

redhatcop.redhat.io / v1alpha1

apiVersion: redhatcop.redhat.io/v1alpha1 kind: DatabaseSecretEngineStaticRole metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

DatabaseSecretEngineStaticRoleSpec defines the desired state of DatabaseSecretEngineStaticRole

authentication object

Authentication is the kube auth configuration to be used to execute this request

namespace string

Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.

path string

Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}

pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

role string

Role the role to be used during authentication

serviceAccount object

ServiceAccount is the service account used for the kube auth authentication

name string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

connection object

Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.

address string

Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/

maxRetries integer

MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).

tLSConfig object

cacert string

Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.

skipVerify boolean

SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.

tlsSecret object

TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", key -> "tls.key"

name string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

tlsServerName string

TLSServerName Name to use as the SNI host when connecting via TLS.

timeOut string

Timeout Timeout variable. The default value is 60s.

credentialType string

CredentialType Specifies the type of credential that will be generated for the role. Options include: password, rsa_private_key. See the plugin's API page for credential types supported by individual databases.

enum: password, rsa_private_key

dBName string

DBName The name of the database connection to use for this role.

name string

The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}

pattern: [a-z0-9]([-a-z0-9]*[a-z0-9])?

passwordCredentialConfig object

PasswordCredentialConfig specifies the configuraiton when the password credential type is chosen.

passwordPolicy string

PasswordPolicy The policy used for password generation. If not provided, defaults to the password policy of the database configuration

path string

Path at which to create the role. The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}. The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.

pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

rotationPeriod integer

RotationPeriod Specifies the amount of time Vault should wait before rotating the password. The minimum is 5 seconds.

minimum: 5

rotationStatements []string

RotationStatements Specifies the database statements to be executed to rotate the password for the configured database user. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter. kubebuilder:validation:UniqueItems=true

rsaPrivateKeyCredentialConfig object

format string

Format The output format of the generated private key credential. The private key will be returned from the API in PEM encoding. Options include: pkcs8

enum: pkcs8

keyBits integer

KeyBits The bit size of the RSA key to generate. Options include: 2048, 3072, 4096.

enum: 2048, 3072, 4096

username string

Username Specifies the database username that this Vault role corresponds to.

status object

DatabaseSecretEngineStaticRoleStatus defines the observed state of DatabaseSecretEngineStaticRole

conditions []object

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

No matches. Try .spec.authentication for an exact path