GCPAuthEngineRole
redhatcop.redhat.io / v1alpha1
apiVersion: redhatcop.redhat.io/v1alpha1
kind: GCPAuthEngineRole
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
GCPAuthEngineRoleSpec defines the desired state of GCPAuthEngineRole
addGroupAliases
boolean
If true, any auth token generated under this token will have associated group aliases, namely project-$PROJECT_ID, folder-$PROJECT_ID, and organization-$ORG_ID for the entities project and all its folder or organization ancestors.
This requires Vault to have IAM permission resourcemanager.projects.get.
allowGCEInference
boolean
A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
authentication object
Authentication is the kube auth configuraiton to be used to execute this request
namespace
string
Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.
path
string
Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}
pattern:
^(?:/?[\w;:@&=\$-\.\+]*)+/?
role
string
Role the role to be used during authentication
serviceAccount object
ServiceAccount is the service account used for the kube auth authentication
name
string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
boundInstanceGroups
[]string
The instance groups that an authorized instance must belong to in order to be authenticated.
If specified, either bound_zones or bound_regions must be set too.
kubebuilder:validation:UniqueItems=true
boundLabels
[]string
A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances.
Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
kubebuilder:validation:UniqueItems=true
boundProjects
[]string
An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
boundRegions
[]string
The list of regions that a GCE instance must belong to in order to be authenticated.
If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region.
If bound_zones are provided, this attribute is ignored.
kubebuilder:validation:UniqueItems=true
boundServiceAccounts
[]string
An array of service account emails or IDs that login is restricted to, either directly or through an associated instance.
If set to *, all service accounts are allowed (you can bind this further using bound_projects.)
boundZones
[]string
The list of zones that a GCE instance must belong to in order to be authenticated.
If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
kubebuilder:validation:UniqueItems=true
connection object
Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.
address
string
Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/
maxRetries
integer
MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).
tLSConfig object
cacert
string
Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.
skipVerify
boolean
SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.
tlsSecret object
TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", key -> "tls.key"
name
string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
tlsServerName
string
TLSServerName Name to use as the SNI host when connecting via TLS.
timeOut
string
Timeout Timeout variable. The default value is 60s.
maxJWTExp
string
The number of seconds past the time of authentication that the login param JWT must expire within.
For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp.
The GCE metadata tokens currently do not allow the exp claim to be customized.
The following parameter is only valid when the role is of type "iam".
name
string required
Name of the role.
path
string
Path at which to make the configuration.
The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/groups/{metadata.name}.
The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
pattern:
^(?:/?[\w;:@&=\$-\.\+]*)+/?
policies
[]string
DEPRECATED: Please use the token_policies parameter instead. List of token policies to encode onto generated tokens.
Depending on the auth method, this list may be supplemented by user/group/other values.
kubebuilder:validation:UniqueItems=true
tokenBoundCIDRs
[]string
List of CIDR blocks.
If set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
kubebuilder:validation:UniqueItems=true
tokenExplicitMaxTTL
string
If set, will encode an explicit max TTL onto the token.
This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.
tokenMaxTTL
string
The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.
tokenNoDefaultPolicy
boolean
If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
tokenNumUses
integer
The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
If you require the token to have the ability to create child tokens, you will need to set this value to 0.
format:
int64
tokenPeriod
integer
The maximum allowed period value when a periodic token is requested from this role.
format:
int64
tokenPolicies
[]string
List of token policies to encode onto generated tokens.
Depending on the auth method, this list may be supplemented by user/group/other values.
kubebuilder:validation:UniqueItems=true
tokenTTL
string
The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.
tokenType
string
The type of token that should be generated.
Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens).
For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.
For machine based authentication cases, you should use batch type tokens.
type
string required
The type of this role. Certain fields correspond to specific roles and will be rejected otherwise. Please see below for more information.
status object
GCPAuthEngineRoleStatus defines the observed state of GCPAuthEngineRole
conditions []object
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316No matches. Try .spec.addGroupAliases for an exact path