CSISecrets

secrets.hashicorp.com / v1beta1

apiVersion: secrets.hashicorp.com/v1beta1 kind: CSISecrets metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

CSISecretsSpec defines the desired state of CSISecrets. It contains the configuration for the CSI driver to populate the secret data.

accessControl object required

AccessControl provides configuration for controlling access to the secret.

matchPolicy string

MatchPolicy is the policy to use when matching the access control rules. If set to "any", only one of the rules should match. If set to "all", all the rules should match.

enum: any, all

namespacePatterns []string

NamespacePatterns is a list of namespace name regex patterns that are allowed access.

podLabels object

PodLabels is a map of pod label key-value pairs that should be allowed access.

podNamePatterns []string

PodNamePatterns is a list of pod name regex patterns that should be allowed access.

serviceAccountPattern string required

ServiceAccountPattern is the name of the service account that should be used to access the secret. It can be specified as a regex pattern. A valid service account is always required.

namespace string

Namespace is the Vault namespace where the secret is located.

secrets object required

Secrets that will be synced with the CSI driver.

transformation object

Transformation provides configuration for transforming the secret data before it is stored in the CSI volume.

excludeRaw boolean

ExcludeRaw data from the destination Secret. Exclusion policy can be set globally by including 'exclude-raw` in the '--global-transformation-options' command line flag. If set, the command line flag always takes precedence over this configuration.

excludes []string

Excludes contains regex patterns used to filter top-level source secret data fields for exclusion from the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied before any inclusion patterns. To exclude all source secret data fields, you can configure the single pattern ".*".

includes []string

Includes contains regex patterns used to filter top-level source secret data fields for inclusion in the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied last.

templates object

Templates maps a template name to its Template. Templates are always included in the rendered K8s Secret, and take precedence over templates defined in a SecretTransformation.

transformationRefs []object

TransformationRefs contain references to template configuration from SecretTransformation.

ignoreExcludes boolean

IgnoreExcludes controls whether to use the SecretTransformation's Excludes data key filters.

ignoreIncludes boolean

IgnoreIncludes controls whether to use the SecretTransformation's Includes data key filters.

name string required

Name of the SecretTransformation resource.

namespace string

Namespace of the SecretTransformation resource.

templateRefs []object

TemplateRefs map to a Template found in this TransformationRef. If empty, then all templates from the SecretTransformation will be rendered to the K8s Secret.

keyOverride string

KeyOverride to the rendered template in the Destination secret. If Key is empty, then the Key from reference spec will be used. Set this to override the Key set from the reference spec.

name string required

Name of the Template in SecretTransformationSpec.Templates. the rendered secret data.

vaultAppRoleSecretIDs []object

VaultAppRoleSecretIDs is a list of AppRole secret IDs to be used to populate the secret.

cidrList []string

CIDRList is the list of CIDR blocks that access the secret ID.

metadata object

Metadata is the metadata to be associated with the secret ID. It is set on the token generated by the secret ID.

mount string required

Mount path to the AppRole auth engine.

numUses integer

NumUses is the number of times the secret ID can be used.

role string required

Role is the name of the AppRole.

syncRoleID boolean

SyncRoleID is the flag to fetch the role ID from the AppRole auth engine. Requires that the provisioning VaultAuth has the necessary permissions to fetch the role ID.

tokenBoundCIDRs []string

TokenBoundCIDRs is the list of CIDR blocks that can be used to authenticate using tokens generated by this secret ID.

transformation object

Transformation provides configuration for transforming the secret data before it is stored in the CSI volume.

excludeRaw boolean

excludes []string

includes []string

templates object

Templates maps a template name to its Template. Templates are always included in the rendered K8s Secret, and take precedence over templates defined in a SecretTransformation.

transformationRefs []object

TransformationRefs contain references to template configuration from SecretTransformation.

ignoreExcludes boolean

IgnoreExcludes controls whether to use the SecretTransformation's Excludes data key filters.

ignoreIncludes boolean

IgnoreIncludes controls whether to use the SecretTransformation's Includes data key filters.

name string required

Name of the SecretTransformation resource.

namespace string

Namespace of the SecretTransformation resource.

templateRefs []object

TemplateRefs map to a Template found in this TransformationRef. If empty, then all templates from the SecretTransformation will be rendered to the K8s Secret.

keyOverride string

KeyOverride to the rendered template in the Destination secret. If Key is empty, then the Key from reference spec will be used. Set this to override the Key set from the reference spec.

name string required

Name of the Template in SecretTransformationSpec.Templates. the rendered secret data.

ttl string

TTL is the TTL for the secret ID, after which it becomes invalid.

pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$

wrapTTL string

WrapTTL is the TTL for the wrapped secret ID.

pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$

vaultStaticSecrets []object

VaultStaticSecrets is a list of static secrets to be synced by the CSI driver.

mount string required

Mount for the secret in Vault

path string required

Path of the secret in Vault, corresponds to the `path` parameter for: kv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret kv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version

transformation object

Transformation provides configuration for transforming the secret data before it is stored in the CSI volume.

excludeRaw boolean

excludes []string

includes []string

templates object

Templates maps a template name to its Template. Templates are always included in the rendered K8s Secret, and take precedence over templates defined in a SecretTransformation.

transformationRefs []object

TransformationRefs contain references to template configuration from SecretTransformation.

ignoreExcludes boolean

IgnoreExcludes controls whether to use the SecretTransformation's Excludes data key filters.

ignoreIncludes boolean

IgnoreIncludes controls whether to use the SecretTransformation's Includes data key filters.

name string required

Name of the SecretTransformation resource.

namespace string

Namespace of the SecretTransformation resource.

templateRefs []object

TemplateRefs map to a Template found in this TransformationRef. If empty, then all templates from the SecretTransformation will be rendered to the K8s Secret.

keyOverride string

KeyOverride to the rendered template in the Destination secret. If Key is empty, then the Key from reference spec will be used. Set this to override the Key set from the reference spec.

name string required

Name of the Template in SecretTransformationSpec.Templates. the rendered secret data.

type string required

Type of the Vault static secret

enum: kv-v1, kv-v2

version integer

Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version

minimum: 0

syncConfig object

SyncConfig provides configuration for syncing the secret data with the CSI driver.

containerState object required

ContainerState is the state of the container that the CSI driver always sync on. This configuration is useful to sync when the last state of the container is in the terminated state and the restart count is greater than 0.

imagePattern string

ImagePattern of the container. Can be expressed as a regular expression.

namePattern string

NamePattern of the container. Can be expressed as a regular expression.

vaultAuthRef object

VaultAuthRef is the reference to the VaultAuth resource.

name string required

Name of the VaultAuth resource.

namespace string

Namespace of the VaultAuth resource.

trustNamespace boolean

TrustNamespace of the referring VaultAuth resource. This means that any Vault credentials will be provided by resources in the same namespace as the VaultAuth resource. Otherwise, the credentials will be provided by the secret resource's namespace.

status object

CSISecretsStatus defines the observed state of CSISecrets

conditions []object

Conditions hold information that can be used by other apps to determine the health of the resource instance.

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase.

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

No matches. Try .spec.accessControl for an exact path