PKISecretEngineConfig
redhatcop.redhat.io / v1alpha1
apiVersion: redhatcop.redhat.io/v1alpha1
kind: PKISecretEngineConfig
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
PKISecretEngineConfigSpec defines the desired state of PKISecretEngineConfig
CRLDisable
boolean
Disables or enables CRL building.
CRLDistributionPoints
[]string
Specifies the URL values for the CRL Distribution Points field. This can be an array or a comma-separated string list.
kubebuilder:validation:UniqueItems=true
CRLExpiry
string
Specifies the time until expiration.
IPSans
string
Specifies the requested IP Subject Alternative Names, in a comma-delimited list.
TTL
string
Specifies the requested Time To Live (after which the certificate will be expired). This cannot be larger than the engine's max (or, if not set, the system max).
URISans
string
Specifies the requested URI Subject Alternative Names, in a comma-delimited list.
altNames
string
Specifies the requested Subject Alternative Names, in a comma-delimited list. These can be host names or email addresses; they will be parsed into their respective fields.
authentication object
Authentication is the kube auth configuration to be used to execute this request
namespace
string
Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.
path
string
Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}
pattern:
^(?:/?[\w;:@&=\$-\.\+]*)+/?
role
string
Role the role to be used during authentication
serviceAccount object
ServiceAccount is the service account used for the kube auth authentication
name
string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
certificateKey
string
CertificateKey key to be used when retrieving the signed certificate
commonName
string
Specifies the requested CN for the certificate.
connection object
Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.
address
string
Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/
maxRetries
integer
MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).
tLSConfig object
cacert
string
Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.
skipVerify
boolean
SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.
tlsSecret object
TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", key -> "tls.key"
name
string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
tlsServerName
string
TLSServerName Name to use as the SNI host when connecting via TLS.
timeOut
string
Timeout Timeout variable. The default value is 60s.
country
string
Specifies the C (Country) values in the subject field of issued certificates. This is a comma-separated string or JSON array.
excludeCnFromSans
boolean
If set, the given common_name will not be included in DNS or Email Subject Alternate Names (as appropriate). Useful if the CN is not a hostname or email address, but is instead some human-readable identifier.
externalSignSecret object
ExternalSignSecret retrieves the signed intermediate certificate from a Kubernetes secret. Allows submitting the signed CA certificate corresponding to a private key generated.
name
string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
format
string
Specifies the format for returned data. Can be pem, der, or pem_bundle. If der, the output is base64 encoded. If pem_bundle, the certificate field will contain the private key (if exported) and certificate, concatenated; if the issuing CA is not a Vault-derived self-signed root, this will be included as well.
enum:
pem, pem_bundle, derinternalSign object
Use the configured refered Vault PKISecretEngineConfig to issue a certificate with appropriate values for acting as an intermediate CA.
name
string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
issuingCertificates
[]string
Specifies the URL values for the Issuing Certificate field. This can be an array or a comma-separated string list.
kubebuilder:validation:UniqueItems=true
keyBits
integer
Specifies the number of bits to use. This must be changed to a valid value if the key_type is ec, e.g., 224, 256, 384 or 521.
keyType
string
Specifies the desired key type; must be rsa or ec.
enum:
rsa, ec
locality
string
Specifies the L (Locality) values in the subject field of issued certificates. This is a comma-separated string or JSON array.
maxPathLength
integer
Specifies the maximum path length to encode in the generated certificate. -1 means no limit. Unless the signing certificate has a maximum path length set, in which case the path length is set to one less than that of the signing certificate. A limit of 0 means a literal path length of zero.
ocspServers
[]string
Specifies the URL values for the OCSP Servers field. This can be an array or a comma-separated string list.
kubebuilder:validation:UniqueItems=true
organization
string
Specifies the O (Organization) values in the subject field of issued certificates. This is a comma-separated string or JSON array.
otherSans
string
Specifies custom OID/UTF8-string SANs. These must match values specified on the role in allowed_other_sans (see role creation for allowed_other_sans globbing rules). The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid type is UTF8. This can be a comma-delimited list or a JSON string slice.
ou
string
Specifies the OU (OrganizationalUnit) values in the subject field of issued certificates. This is a comma-separated string or JSON array.
path
string
Path at which to create the role.
The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}.
The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
pattern:
^(?:/?[\w;:@&=\$-\.\+]*)+/?
permittedDnsDomains
[]string
A comma separated string (or, string array) containing DNS domains for which certificates are allowed to be issued or signed by this CA certificate. Note that subdomains are allowed, as per RFC.
kubebuilder:validation:UniqueItems=true
postalCode
string
Specifies the Postal Code values in the subject field of issued certificates. This is a comma-separated string or JSON array.
privateKeyFormat
string
Specifies the format for marshaling the private key. Defaults to der which will return either base64-encoded DER or PEM-encoded DER, depending on the value of format. The other option is pkcs8 which will return the key marshalled as PEM-encoded PKCS8.
privateKeyType
string
Specifies the type of the root to create. If exported, the private key will be returned in the response; if internal the private key will not be returned and cannot be retrieved later. This is part of the request URL.
enum:
internal, exported
province
string
Specifies the ST (Province) values in the subject field of issued certificates. This is a comma-separated string or JSON array.
serialNumber
string
Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.
streetAddress
string
Specifies the Street Address values in the subject field of issued certificates. This is a comma-separated string or JSON array.
type
string
Specifies the type of certificate authority. Root CA or Intermediate CA. This is part of the request URL.
enum:
root, intermediatestatus object
PKISecretEngineConfigStatus defines the observed state of PKISecretEngineConfig
conditions []object
INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
Important: Run "make" to regenerate code after modifying this file
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316
exported
boolean
generated
boolean
signed
boolean
No matches. Try .spec.CRLDisable for an exact path