VaultSecret
redhatcop.redhat.io / v1alpha1
apiVersion: redhatcop.redhat.io/v1alpha1
kind: VaultSecret
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
VaultSecretSpec defines the desired state of VaultSecret
output object
TemplatizedK8sSecret is the formatted K8s Secret created by templating from the Vault KV secrets.
annotations
object
Annotations are annotations to add to the final K8s Secret.
labels
object
Labels are labels to add to the final K8s Secret.
name
string
Name is the K8s Secret name to output to.
stringData
object
StringData is the K8s Secret stringData and allows specifying non-binary secret data in string form with go templating support
to transform the Vault KV secrets into a formatted K8s Secret.
The Sprig template library and Helm functions (like toYaml) are supported.
type
string
Type is the K8s Secret type to output to.
refreshPeriod
string
RefreshPeriod if specified, the operator will refresh the secret with the given frequency.
This takes precedence over any vault secret lease duration and can be used to force a refresh.
refreshThreshold
integer
RefreshThreshold if specified, will instruct the operator to refresh when a percentage of the lease duration is met when there is no RefreshPeriod specified.
This is particularly useful for controlling when dynamic secrets should be refreshed before the lease duration is exceeded.
The default is 90, meaning the secret would refresh after 90% of the time has passed from the vault secret's lease duration.
syncOnResourceChange
boolean
SyncOnResourceChange if set to true, the operator will immediately resync the secret from Vault
whenever the VaultSecret spec or metadata changes, bypassing the time-based refresh gate.
By default this is false, meaning changes to the resource will only take effect at the next scheduled refresh.
vaultSecretDefinitions []object
VaultSecretDefinitions are the secrets in Vault.
authentication object
Authentication is the kube auth configuraiton to be used to execute this request
namespace
string
Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.
path
string
Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}
pattern:
^(?:/?[\w;:@&=\$-\.\+]*)+/?
role
string
Role the role to be used during authentication
serviceAccount object
ServiceAccount is the service account used for the kube auth authentication
name
string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
connection object
Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.
address
string
Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/
maxRetries
integer
MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).
tLSConfig object
cacert
string
Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.
skipVerify
boolean
SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.
tlsSecret object
TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", key -> "tls.key"
name
string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
tlsServerName
string
TLSServerName Name to use as the SNI host when connecting via TLS.
timeOut
string
Timeout Timeout variable. The default value is 60s.
name
string
Name is an arbitrary, but unique, name for this KV Vault secret and referenced when templating.
path
string
Path is the path of the secret.
pattern:
^(?:/?[\w;:@&=\$-\.\+]*)+/?
requestPayload
object
RequestPayload for POST type of requests, this field contains the payload of the request. Not used for GET requests.
requestType
string
RequestType the type of request needed to retrieve a secret. Normally a GET, but some secret engnes require a POST.
enum:
GET, POSTstatus object
VaultSecretStatus defines the observed state of VaultSecret
conditions []object
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316
lastVaultSecretUpdate
string
LastVaultSecretUpdate the last time when this secret was updated from Vault
format:
date-time
nextVaultSecretUpdate
string
NextVaultSecretUpdate the next time when this secret will be synced with Vault. If nil, it will not be refreshed.
format:
date-time
syncedResourceVersion
string
SyncedResourceVersion is a combination of the VaultSecret's generation and metadata hash.
Is enabled by SyncOnResourceChange: true
vaultSecretDefinitionsStatus []object
VaultSecretDefinitionsStatus information used to determine if the secret should be rereconciled
lease_duration
integer
LeaseDuration is the time until the secret should be read in again, thus recreating the k8s Secret
lease_id
string
LeaseID is the id of a lease, this denotes the secret is dynamic
name
string
Name is an arbitrary, but unique, name for this KV Vault secret and referenced when templating.
renewable
boolean
Renewable informs if the lease is renewable for the dynamic secret
No matches. Try .spec.output for an exact path