{ "description": "KubernetesAuthEngineConfig is the Schema for the kubernetesauthengineconfigs API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "KubernetesAuthEngineConfigSpec defines the desired state of KubernetesAuthEngineConfig", "properties": { "PEMKeys": { "description": "PEMKeys Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "authentication": { "additionalProperties": false, "description": "Authentication is the kube auth configuration to be used to execute this request", "properties": { "namespace": { "description": "Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.", "type": [ "string", "null" ] }, "path": { "default": "kubernetes", "description": "Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}", "pattern": "^(?:/?[\\w;:@\u0026=\\$-\\.\\+]*)+/?", "type": [ "string", "null" ] }, "role": { "description": "Role the role to be used during authentication", "type": [ "string", "null" ] }, "serviceAccount": { "additionalProperties": false, "default": { "name": "default" }, "description": "ServiceAccount is the service account used for the kube auth authentication", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" } }, "type": [ "object", "null" ] }, "connection": { "additionalProperties": false, "description": "Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.", "properties": { "address": { "description": "Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/", "type": [ "string", "null" ] }, "maxRetries": { "description": "MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).", "type": [ "integer", "null" ] }, "tLSConfig": { "additionalProperties": false, "properties": { "cacert": { "description": "Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.", "type": [ "string", "null" ] }, "skipVerify": { "description": "SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.", "type": [ "boolean", "null" ] }, "tlsSecret": { "additionalProperties": false, "description": "TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -\u003e \"ca.crt\", certificate -\u003e \"tls.crt\", key -\u003e \"tls.key\"", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" }, "tlsServerName": { "description": "TLSServerName Name to use as the SNI host when connecting via TLS.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "timeOut": { "description": "Timeout Timeout variable. The default value is 60s.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "disableISSValidation": { "default": false, "description": "DisableISSValidation Disable JWT issuer validation. Allows to skip ISS validation.", "type": [ "boolean", "null" ] }, "disableLocalCAJWT": { "default": false, "description": "DisableLocalCAJWT Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.", "type": [ "boolean", "null" ] }, "issuer": { "description": "Issuer Optional JWT issuer. If no issuer is specified, then this plugin will use kubernetes/serviceaccount as the default issuer. See these instructions for looking up the issuer for a given Kubernetes cluster.", "type": [ "string", "null" ] }, "kubernetesCACert": { "description": "kubernetesCACert PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. NOTE: Every line must end with a newline: \\n\nif omitted will default to the content of the file \"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt\" in the operator pod", "type": [ "string", "null" ] }, "kubernetesHost": { "default": "https://kubernetes.default.svc:443", "description": "KubernetesHost Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.", "type": [ "string", "null" ] }, "name": { "description": "The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}", "pattern": "[a-z0-9]([-a-z0-9]*[a-z0-9])?", "type": [ "string", "null" ] }, "path": { "description": "Path at which to make the configuration.\nThe final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}.\nThe authentication role must have the following capabilities = [ \"create\", \"read\", \"update\", \"delete\"] on that path.", "pattern": "^(?:/?[\\w;:@\u0026=\\$-\\.\\+]*)+/?", "type": [ "string", "null" ] }, "tokenReviewerServiceAccount": { "additionalProperties": false, "description": "TokenReviewerServiceAccount A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set, the JWT submitted in the login payload will be used to access the Kubernetes TokenReview API.", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" }, "useAnnotationsAsAliasMetadata": { "description": "UseAnnotationsAsAliasMetadata Use annotations from the client token's associated service account as alias metadata for the Vault entity. Only annotations with the vault.hashicorp.com/alias-metadata- key prefix are targeted as alias metadata and your annotations must be 512 characters or less due to the Vault alias metadata value limit. For example, if you configure the annotation vault.hashicorp.com/alias-metadata-foo, Vault saves the string \"foo\" along with the annotation value to the alias metadata. To save alias metadata, Vault must have permission to read service accounts from the Kubernetes API.", "type": [ "boolean", "null" ] }, "useOperatorPodCA": { "default": true, "description": "UseOperatorPodCA . This field is considered only if `kubernetesCACert` is not set and `disableLocalCAJWT` is set to true.\nIn this case if this field is set to true the operator pod's CA is injected. This is the original behavior before the introduction of this field\nIf tis field is set to false, the os ca bundle of where vault is running will be used.", "type": [ "boolean", "null" ] } }, "type": [ "object", "null" ] }, "status": { "additionalProperties": false, "description": "KubernetesAuthEngineConfigStatus defines the observed state of KubernetesAuthEngineConfig", "properties": { "conditions": { "items": { "additionalProperties": false, "description": "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": [ "integer", "null" ] }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object" }, "type": [ "array", "null" ], "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" } }, "type": [ "object", "null" ] } }, "type": "object" }