Skip to search

RandomSecret

redhatcop.redhat.io / v1alpha1

apiVersion: redhatcop.redhat.io/v1alpha1 kind: RandomSecret metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
RandomSecretSpec defines the desired state of RandomSecret
authentication object
Authentication is the kube auth configuration to be used to execute this request
namespace string
Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.
path string
Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}
pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?
role string
Role the role to be used during authentication
serviceAccount object
ServiceAccount is the service account used for the kube auth authentication
name string
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
connection object
Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.
address string
Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/
maxRetries integer
MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).
tLSConfig object
cacert string
Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.
skipVerify boolean
SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.
tlsSecret object
TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", key -> "tls.key"
name string
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
tlsServerName string
TLSServerName Name to use as the SNI host when connecting via TLS.
timeOut string
Timeout Timeout variable. The default value is 60s.
isKVSecretsEngineV2 boolean
IsKVSecretsEngineV2 indicates if the KV Secrets engine is V2 or not. Default is false to indicate the payload to send is for KV Secret Engine V1.
kvSecretRetainPolicy string
The KV secret retain policy to apply when the Kubernetes resource is deleted. When unspecified, the KV secret is also deleted.
enum: Delete, Retain
name string
The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
pattern: [a-z0-9]([-a-z0-9]*[a-z0-9])?
path string
Path at which to create the secret. The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}. If IsKVSecretsEngineV2 is false, the authentication role must have the following capabilities = [ "create", "update", "delete"] on the {[spec.authentication.namespace]}/{spec.path}/{metadata.name} path. If IsKVSecretsEngineV2 is true, the authentication role must have the following capabilities = [ "create", "update"] on the {[spec.authentication.namespace]}/{spec.path}/data/{metadata.name} path and capabilities = [ "delete"] on the {[spec.authentication.namespace]}/{spec.path}/metadata/{metadata.name} path. Additionally, if IsKVSecretsEngineV2 is true, it is acceptable for this value to have a suffix of "/data" or not. This suffix is no longer needed but still supported for backwards compatibility.
pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?
refreshPeriod string
RefreshPeriod if specified, the operator will refresh the secret with the given frequency. This will also set the ttl of the secret which provides a hint for how often consumers should check back for a new value when reading the secret's lease_duration.
secretFormat object
SecretFormat specifies a map of key and password policies used to generate random values
inlinePasswordPolicy string
InlinePasswordPolicy is an inline password policy specified using Vault password policy syntax (https://www.vaultproject.io/docs/concepts/password-policies#password-policy-syntax) Only one of PasswordPolicyName or InlinePasswordPolicy can be specified
passwordPolicyName string
PasswordPolicyName a ref to a password policy defined in Vault. Notice that in order to use this, the Vault role you use needs the following capabilities = ["read"] on /sys/policy/password. Only one of PasswordPolicyName or InlinePasswordPolicy can be specified
secretKey string
SecretKey is the key to be used for this secret when stored in Vault kv
status object
RandomSecretStatus defines the observed state of RandomSecret
conditions []object
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316
lastVaultSecretUpdate string
LastVaultSecretUpdate last time when this secret was updated in Vault
format: date-time

No matches. Try .spec.authentication for an exact path