{ "description": "PKISecretEngineRole is the Schema for the pkisecretengineroles API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "PKISecretEngineRoleSpec defines the desired state of PKISecretEngineRole", "properties": { "TTL": { "default": "0s", "description": "Specifies the Time To Live value provided as a string duration with time suffix. Hour is the largest suffix. If not set, uses the system default value or the value of max_ttl, whichever is shorter.", "type": [ "string", "null" ] }, "allowAnyName": { "description": "Specifies if clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.", "type": [ "boolean", "null" ] }, "allowBareDomains": { "description": "Specifies if clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.", "type": [ "boolean", "null" ] }, "allowGlobDomains": { "description": "Allows names specified in allowed_domains to contain glob patterns (e.g. ftp*.example.com). Clients will be allowed to request certificates with names matching the glob patterns.", "type": [ "boolean", "null" ] }, "allowIPSans": { "description": "Specifies if clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses.", "type": [ "boolean", "null" ] }, "allowLocalhost": { "type": [ "boolean", "null" ] }, "allowSubdomains": { "description": "Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option.", "type": [ "boolean", "null" ] }, "allowedDomains": { "description": "Specifies the domains of the role. This is used with the allow_bare_domains and allow_subdomains options.\nkubebuilder:validation:UniqueItems=true", "items": { "type": "string" }, "type": [ "array", "null" ], "x-kubernetes-list-type": "set" }, "allowedDomainsTemplate": { "description": "When set, allowed_domains may contain templates, as with ACL Path Templating.", "type": [ "boolean", "null" ] }, "allowedOtherSans": { "description": "Defines allowed custom OID/UTF8-string SANs. This can be a comma-delimited list or a JSON string slice, where each element has the same format as OpenSSL: \u003coid\u003e;\u003ctype\u003e:\u003cvalue\u003e, but the only valid type is UTF8 or UTF-8. The value part of an element may be a * to allow any value with that OID. Alternatively, specifying a single * will allow any other_sans input.", "type": [ "string", "null" ] }, "allowedURISans": { "description": "Defines allowed URI Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid URIs. This can be a comma-delimited list or a JSON string slice. Values can contain glob patterns (e.g. spiffe://hostname/*).\nkubebuilder:validation:UniqueItems=true", "items": { "type": "string" }, "type": [ "array", "null" ], "x-kubernetes-list-type": "set" }, "authentication": { "additionalProperties": false, "description": "Authentication is the kube auth configuration to be used to execute this request", "properties": { "namespace": { "description": "Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.", "type": [ "string", "null" ] }, "path": { "default": "kubernetes", "description": "Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}", "pattern": "^(?:/?[\\w;:@\u0026=\\$-\\.\\+]*)+/?", "type": [ "string", "null" ] }, "role": { "description": "Role the role to be used during authentication", "type": [ "string", "null" ] }, "serviceAccount": { "additionalProperties": false, "default": { "name": "default" }, "description": "ServiceAccount is the service account used for the kube auth authentication", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" } }, "type": [ "object", "null" ] }, "basicConstraintsValidForNonCa": { "description": "Mark Basic Constraints valid when issuing non-CA certificates.", "type": [ "boolean", "null" ] }, "clientFlag": { "description": "Specifies if certificates are flagged for client use.", "type": [ "boolean", "null" ] }, "codeSigningFlag": { "description": "Specifies if certificates are flagged for code signing use.", "type": [ "boolean", "null" ] }, "connection": { "additionalProperties": false, "description": "Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.", "properties": { "address": { "description": "Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/", "type": [ "string", "null" ] }, "maxRetries": { "description": "MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).", "type": [ "integer", "null" ] }, "tLSConfig": { "additionalProperties": false, "properties": { "cacert": { "description": "Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.", "type": [ "string", "null" ] }, "skipVerify": { "description": "SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.", "type": [ "boolean", "null" ] }, "tlsSecret": { "additionalProperties": false, "description": "TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -\u003e \"ca.crt\", certificate -\u003e \"tls.crt\", key -\u003e \"tls.key\"", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" }, "tlsServerName": { "description": "TLSServerName Name to use as the SNI host when connecting via TLS.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "timeOut": { "description": "Timeout Timeout variable. The default value is 60s.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "country": { "description": "Specifies the C (Country) values in the subject field of issued certificates. This is a comma-separated string or JSON array.", "type": [ "string", "null" ] }, "emailProtectionFlag": { "description": "Specifies if certificates are flagged for email protection use.", "type": [ "boolean", "null" ] }, "enforceHostnames": { "description": "Specifies if only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses.", "type": [ "boolean", "null" ] }, "extKeyUsage": { "description": "Specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply drop the ExtKeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.\nkubebuilder:validation:UniqueItems=true", "items": { "description": "ExtKeyUsage specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply drop the ExtKeyUsage part of the value.", "enum": [ "ServerAuth", "ClientAuth", "CodeSigning", "EmailProtection", "IPSECEndSystem", "IPSECTunnel", "IPSECUser", "TimeStamping", "OCSPSigning", "MicrosoftServerGatedCrypto", "NetscapeServerGatedCrypto", "MicrosoftCommercialCodeSigning", "MicrosoftKernelCodeSigning" ], "type": "string" }, "type": [ "array", "null" ], "x-kubernetes-list-type": "set" }, "extKeyUsageOids": { "description": "A comma-separated string or list of extended key usage oids.\nkubebuilder:validation:UniqueItems=true", "items": { "type": "string" }, "type": [ "array", "null" ], "x-kubernetes-list-type": "set" }, "generateLease": { "description": "Specifies if certificates issued/signed against this role will have Vault leases attached to them. Certificates can be added to the CRL by vault revoke \u003clease_id\u003e when certificates are associated with leases. It can also be done using the pki/revoke endpoint. However, when lease generation is disabled, invoking pki/revoke would be the only way to add the certificates to the CRL.", "type": [ "boolean", "null" ] }, "keyBits": { "default": 2048, "description": "Specifies the number of bits to use for the generated keys. This will need to be changed for ec keys, e.g., 224, 256, 384 or 521.", "type": [ "integer", "null" ] }, "keyType": { "default": "rsa", "description": "Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs. Currently, rsa and ec are supported, or when signing CSRs any can be specified to allow keys of either type and with any bit size (subject to \u003e 1024 bits for RSA keys).", "enum": [ "rsa", "ec" ], "type": [ "string", "null" ] }, "keyUsage": { "description": "Specifies the allowed key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply drop the KeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.\nkubebuilder:validation:UniqueItems=true", "items": { "description": "KeyUsage specifies the allowed key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply drop the KeyUsage part of the value.", "enum": [ "DigitalSignature", "KeyAgreement", "KeyEncipherment", "ContentCommitment", "DataEncipherment", "CertSign", "CRLSign", "EncipherOnly", "DecipherOnly" ], "type": "string" }, "type": [ "array", "null" ], "x-kubernetes-list-type": "set" }, "locality": { "description": "Specifies the L (Locality) values in the subject field of issued certificates. This is a comma-separated string or JSON array.", "type": [ "string", "null" ] }, "maxTTL": { "default": "0s", "description": "Specifies the maximum Time To Live provided as a string duration with time suffix. Hour is the largest suffix. If not set, defaults to the system maximum lease TTL.", "type": [ "string", "null" ] }, "name": { "description": "The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}", "pattern": "[a-z0-9]([-a-z0-9]*[a-z0-9])?", "type": [ "string", "null" ] }, "noStore": { "description": "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of false for generate_lease.", "type": [ "boolean", "null" ] }, "notBeforeDuration": { "default": "30s", "description": "Specifies the duration by which to backdate the NotBefore property.", "type": [ "string", "null" ] }, "organization": { "description": "Specifies the O (Organization) values in the subject field of issued certificates. This is a comma-separated string or JSON array.", "type": [ "string", "null" ] }, "ou": { "description": "Specifies the OU (OrganizationalUnit) values in the subject field of issued certificates. This is a comma-separated string or JSON array.", "type": [ "string", "null" ] }, "path": { "description": "Path at which to create the role.\nThe final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.\nThe authentication role must have the following capabilities = [ \"create\", \"read\", \"update\", \"delete\"] on that path.", "pattern": "^(?:/?[\\w;:@\u0026=\\$-\\.\\+]*)+/?", "type": [ "string", "null" ] }, "policyIdentifiers": { "description": "A comma-separated string or list of policy OIDs.\nkubebuilder:validation:UniqueItems=true", "items": { "type": "string" }, "type": [ "array", "null" ], "x-kubernetes-list-type": "set" }, "postalCode": { "description": "Specifies the Postal Code values in the subject field of issued certificates. This is a comma-separated string or JSON array.", "type": [ "string", "null" ] }, "province": { "description": "Specifies the ST (Province) values in the subject field of issued certificates. This is a comma-separated string or JSON array.", "type": [ "string", "null" ] }, "requireCn": { "description": "If set to false, makes the common_name field optional while generating a certificate.", "type": [ "boolean", "null" ] }, "serialNumber": { "description": "Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.", "type": [ "string", "null" ] }, "serverFlag": { "description": "Specifies if certificates are flagged for server use.", "type": [ "boolean", "null" ] }, "streetAddress": { "description": "Specifies the Street Address values in the subject field of issued certificates. This is a comma-separated string or JSON array.", "type": [ "string", "null" ] }, "useCSRCommonName": { "default": true, "description": "When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR; use use_csr_sans for that.", "type": [ "boolean", "null" ] }, "useCSRSans": { "default": true, "description": "When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data. This does not include the common name in the CSR; use use_csr_common_name for that.", "type": [ "boolean", "null" ] } }, "type": [ "object", "null" ] }, "status": { "additionalProperties": false, "description": "PKISecretEngineRoleStatus defines the observed state of PKISecretEngineRole", "properties": { "conditions": { "description": "INSERT ADDITIONAL STATUS FIELD - define observed state of cluster\nImportant: Run \"make\" to regenerate code after modifying this file", "items": { "additionalProperties": false, "description": "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": [ "integer", "null" ] }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object" }, "type": [ "array", "null" ], "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" } }, "type": [ "object", "null" ] } }, "type": "object" }