SecretEngineMount

redhatcop.redhat.io / v1alpha1

apiVersion: redhatcop.redhat.io/v1alpha1 kind: SecretEngineMount metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

SecretEngineMountSpec defines the desired state of SecretEngineMount

authentication object

Authentication is the kube auth configuration to be used to execute this request

namespace string

Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.

path string

Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}

pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

role string

Role the role to be used during authentication

serviceAccount object

ServiceAccount is the service account used for the kube auth authentication

name string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

config object

Specifies configuration options for this mount; if set on a specific mount, values will override any global defaults (e.g. the system TTL/Max TTL)

allowedResponseHeaders []string

AllowedResponseHeaders list of headers to whitelist, allowing a plugin to include them in the response. kubebuilder:validation:UniqueItems=true

auditNonHMACRequestKeys []string

AuditNonHMACRequestKeys list of keys that will not be HMAC'd by audit devices in the request data object. kubebuilder:validation:UniqueItems=true

auditNonHMACResponseKeys []string

AuditNonHMACResponseKeys list of keys that will not be HMAC'd by audit devices in the response data object. kubebuilder:validation:UniqueItems=true

defaultLeaseTTL string

DefaultLeaseTTL The default lease duration, specified as a string duration like "5s" or "30m".

forceNoCache boolean

ForceNoCache Disable caching.

listingVisibility string

ListingVisibility Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden". If not set, behaves like "hidden"

enum: unauth, hidden

maxLeaseTTL string

MaxLeaseTTL The maximum lease duration, specified as a string duration like "5s" or "30m".

passthroughRequestHeaders []string

PassthroughRequestHeaders list of headers to whitelist and pass from the request to the plugin. kubebuilder:validation:UniqueItems=true

connection object

Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.

address string

Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/

maxRetries integer

MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).

tLSConfig object

cacert string

Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.

skipVerify boolean

SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.

tlsSecret object

TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", key -> "tls.key"

name string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

tlsServerName string

TLSServerName Name to use as the SNI host when connecting via TLS.

timeOut string

Timeout Timeout variable. The default value is 60s.

description string

Description Specifies the human-friendly description of the mount.

externalEntropyAccess boolean

ExternalEntropyAccess Enable the secrets engine to access Vault's external entropy source.

local boolean

Local Specifies if the secrets engine is a local mount only. Local mounts are not replicated nor (if a secondary) removed by replication.

name string

The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}

pattern: [a-z0-9]([-a-z0-9]*[a-z0-9])?

options object

Options Specifies mount type specific options that are passed to the backend.

path string

Path at which this secret engine will be available. If not specified, defaults to the resource name (/sys/mounts/{[spec.authentication.namespace]}/{metadata.name}). The final path in Vault will be {[spec.authentication.namespace]}/{[spec.path]}/{metadata.name}. The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on computed path /sys/mounts/{[spec.authentication.namespace]}/{[spec.path]}/{metadata.name} or /sys/mounts/{[spec.authentication.namespace]}/{metadata.name} if path is empty.

pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

sealWrap boolean

SealWrap Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability.

type string

Type Specifies the type of the backend, such as "aws".

status object

SecretEngineMountStatus defines the observed state of SecretEngineMount

accessor string

conditions []object

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

No matches. Try .spec.authentication for an exact path