{ "description": "CSISecrets is the Schema for the csisecrets API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "CSISecretsSpec defines the desired state of CSISecrets. It contains the\nconfiguration for the CSI driver to populate the secret data.", "properties": { "accessControl": { "additionalProperties": false, "description": "AccessControl provides configuration for controlling access to the secret.", "properties": { "matchPolicy": { "default": "all", "description": "MatchPolicy is the policy to use when matching the access control rules. If\nset to \"any\", only one of the rules should match. If set to \"all\", all the\nrules should match.", "enum": [ "any", "all" ], "type": [ "string", "null" ] }, "namespacePatterns": { "description": "NamespacePatterns is a list of namespace name regex patterns that are allowed access.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "podLabels": { "additionalProperties": { "type": "string" }, "description": "PodLabels is a map of pod label key-value pairs that should be allowed access.", "type": [ "object", "null" ] }, "podNamePatterns": { "description": "PodNamePatterns is a list of pod name regex patterns that should be allowed access.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "serviceAccountPattern": { "description": "ServiceAccountPattern is the name of the service account that should be used to\naccess the secret. It can be specified as a regex pattern.\nA valid service account is always required.", "type": "string" } }, "required": [ "serviceAccountPattern" ], "type": "object" }, "namespace": { "description": "Namespace is the Vault namespace where the secret is located.", "type": [ "string", "null" ] }, "secrets": { "additionalProperties": false, "description": "Secrets that will be synced with the CSI driver.", "properties": { "transformation": { "additionalProperties": false, "description": "Transformation provides configuration for transforming the secret data before\nit is stored in the CSI volume.", "properties": { "excludeRaw": { "description": "ExcludeRaw data from the destination Secret. Exclusion policy can be set\nglobally by including 'exclude-raw` in the '--global-transformation-options'\ncommand line flag. If set, the command line flag always takes precedence over\nthis configuration.", "type": [ "boolean", "null" ] }, "excludes": { "description": "Excludes contains regex patterns used to filter top-level source secret data\nfields for exclusion from the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied before any inclusion patterns. To exclude all source secret data\nfields, you can configure the single pattern \".*\".", "items": { "type": "string" }, "type": [ "array", "null" ] }, "includes": { "description": "Includes contains regex patterns used to filter top-level source secret data\nfields for inclusion in the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied last.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "templates": { "additionalProperties": { "additionalProperties": false, "description": "Template provides templating configuration.", "properties": { "name": { "description": "Name of the Template", "type": [ "string", "null" ] }, "text": { "description": "Text contains the Go text template format. The template\nreferences attributes from the data structure of the source secret.\nRefer to https://pkg.go.dev/text/template for more information.", "type": "string" } }, "required": [ "text" ], "type": "object" }, "description": "Templates maps a template name to its Template. Templates are always included\nin the rendered K8s Secret, and take precedence over templates defined in a\nSecretTransformation.", "type": [ "object", "null" ] }, "transformationRefs": { "description": "TransformationRefs contain references to template configuration from\nSecretTransformation.", "items": { "additionalProperties": false, "description": "TransformationRef contains the configuration for accessing templates from an\nSecretTransformation resource. TransformationRefs can be shared across all\nsyncable secret custom resources.", "properties": { "ignoreExcludes": { "description": "IgnoreExcludes controls whether to use the SecretTransformation's Excludes\ndata key filters.", "type": [ "boolean", "null" ] }, "ignoreIncludes": { "description": "IgnoreIncludes controls whether to use the SecretTransformation's Includes\ndata key filters.", "type": [ "boolean", "null" ] }, "name": { "description": "Name of the SecretTransformation resource.", "type": "string" }, "namespace": { "description": "Namespace of the SecretTransformation resource.", "type": [ "string", "null" ] }, "templateRefs": { "description": "TemplateRefs map to a Template found in this TransformationRef. If empty, then\nall templates from the SecretTransformation will be rendered to the K8s Secret.", "items": { "additionalProperties": false, "description": "TemplateRef points to templating text that is stored in a\nSecretTransformation custom resource.", "properties": { "keyOverride": { "description": "KeyOverride to the rendered template in the Destination secret. If Key is\nempty, then the Key from reference spec will be used. Set this to override the\nKey set from the reference spec.", "type": [ "string", "null" ] }, "name": { "description": "Name of the Template in SecretTransformationSpec.Templates.\nthe rendered secret data.", "type": "string" } }, "required": [ "name" ], "type": "object" }, "type": [ "array", "null" ] } }, "required": [ "name" ], "type": "object" }, "type": [ "array", "null" ] } }, "type": [ "object", "null" ] }, "vaultAppRoleSecretIDs": { "description": "VaultAppRoleSecretIDs is a list of AppRole secret IDs to be used to populate the secret.", "items": { "additionalProperties": false, "description": "VaultAppRoleSecretID defines the AppRole secret ID to be used to populate the secret.", "properties": { "cidrList": { "description": "CIDRList is the list of CIDR blocks that access the secret ID.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "metadata": { "additionalProperties": { "type": "string" }, "description": "Metadata is the metadata to be associated with the secret ID. It is set on\nthe token generated by the secret ID.", "type": [ "object", "null" ] }, "mount": { "description": "Mount path to the AppRole auth engine.", "type": "string" }, "numUses": { "description": "NumUses is the number of times the secret ID can be used.", "type": [ "integer", "null" ] }, "role": { "description": "Role is the name of the AppRole.", "type": "string" }, "syncRoleID": { "description": "SyncRoleID is the flag to fetch the role ID from the AppRole auth engine.\nRequires that the provisioning VaultAuth has the necessary permissions to fetch the role ID.", "type": [ "boolean", "null" ] }, "tokenBoundCIDRs": { "description": "TokenBoundCIDRs is the list of CIDR blocks that can be used to authenticate\nusing tokens generated by this secret ID.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "transformation": { "additionalProperties": false, "description": "Transformation provides configuration for transforming the secret data before\nit is stored in the CSI volume.", "properties": { "excludeRaw": { "description": "ExcludeRaw data from the destination Secret. Exclusion policy can be set\nglobally by including 'exclude-raw` in the '--global-transformation-options'\ncommand line flag. If set, the command line flag always takes precedence over\nthis configuration.", "type": [ "boolean", "null" ] }, "excludes": { "description": "Excludes contains regex patterns used to filter top-level source secret data\nfields for exclusion from the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied before any inclusion patterns. To exclude all source secret data\nfields, you can configure the single pattern \".*\".", "items": { "type": "string" }, "type": [ "array", "null" ] }, "includes": { "description": "Includes contains regex patterns used to filter top-level source secret data\nfields for inclusion in the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied last.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "templates": { "additionalProperties": { "additionalProperties": false, "description": "Template provides templating configuration.", "properties": { "name": { "description": "Name of the Template", "type": [ "string", "null" ] }, "text": { "description": "Text contains the Go text template format. The template\nreferences attributes from the data structure of the source secret.\nRefer to https://pkg.go.dev/text/template for more information.", "type": "string" } }, "required": [ "text" ], "type": "object" }, "description": "Templates maps a template name to its Template. Templates are always included\nin the rendered K8s Secret, and take precedence over templates defined in a\nSecretTransformation.", "type": [ "object", "null" ] }, "transformationRefs": { "description": "TransformationRefs contain references to template configuration from\nSecretTransformation.", "items": { "additionalProperties": false, "description": "TransformationRef contains the configuration for accessing templates from an\nSecretTransformation resource. TransformationRefs can be shared across all\nsyncable secret custom resources.", "properties": { "ignoreExcludes": { "description": "IgnoreExcludes controls whether to use the SecretTransformation's Excludes\ndata key filters.", "type": [ "boolean", "null" ] }, "ignoreIncludes": { "description": "IgnoreIncludes controls whether to use the SecretTransformation's Includes\ndata key filters.", "type": [ "boolean", "null" ] }, "name": { "description": "Name of the SecretTransformation resource.", "type": "string" }, "namespace": { "description": "Namespace of the SecretTransformation resource.", "type": [ "string", "null" ] }, "templateRefs": { "description": "TemplateRefs map to a Template found in this TransformationRef. If empty, then\nall templates from the SecretTransformation will be rendered to the K8s Secret.", "items": { "additionalProperties": false, "description": "TemplateRef points to templating text that is stored in a\nSecretTransformation custom resource.", "properties": { "keyOverride": { "description": "KeyOverride to the rendered template in the Destination secret. If Key is\nempty, then the Key from reference spec will be used. Set this to override the\nKey set from the reference spec.", "type": [ "string", "null" ] }, "name": { "description": "Name of the Template in SecretTransformationSpec.Templates.\nthe rendered secret data.", "type": "string" } }, "required": [ "name" ], "type": "object" }, "type": [ "array", "null" ] } }, "required": [ "name" ], "type": "object" }, "type": [ "array", "null" ] } }, "type": [ "object", "null" ] }, "ttl": { "description": "TTL is the TTL for the secret ID, after which it becomes invalid.", "pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h))$", "type": [ "string", "null" ] }, "wrapTTL": { "description": "WrapTTL is the TTL for the wrapped secret ID.", "pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h))$", "type": [ "string", "null" ] } }, "required": [ "mount", "role" ], "type": "object" }, "type": [ "array", "null" ] }, "vaultStaticSecrets": { "description": "VaultStaticSecrets is a list of static secrets to be synced by the CSI driver.", "items": { "additionalProperties": false, "properties": { "mount": { "description": "Mount for the secret in Vault", "type": "string" }, "path": { "description": "Path of the secret in Vault, corresponds to the `path` parameter for:\nkv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret\nkv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version", "type": "string" }, "transformation": { "additionalProperties": false, "description": "Transformation provides configuration for transforming the secret data before\nit is stored in the CSI volume.", "properties": { "excludeRaw": { "description": "ExcludeRaw data from the destination Secret. Exclusion policy can be set\nglobally by including 'exclude-raw` in the '--global-transformation-options'\ncommand line flag. If set, the command line flag always takes precedence over\nthis configuration.", "type": [ "boolean", "null" ] }, "excludes": { "description": "Excludes contains regex patterns used to filter top-level source secret data\nfields for exclusion from the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied before any inclusion patterns. To exclude all source secret data\nfields, you can configure the single pattern \".*\".", "items": { "type": "string" }, "type": [ "array", "null" ] }, "includes": { "description": "Includes contains regex patterns used to filter top-level source secret data\nfields for inclusion in the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied last.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "templates": { "additionalProperties": { "additionalProperties": false, "description": "Template provides templating configuration.", "properties": { "name": { "description": "Name of the Template", "type": [ "string", "null" ] }, "text": { "description": "Text contains the Go text template format. The template\nreferences attributes from the data structure of the source secret.\nRefer to https://pkg.go.dev/text/template for more information.", "type": "string" } }, "required": [ "text" ], "type": "object" }, "description": "Templates maps a template name to its Template. Templates are always included\nin the rendered K8s Secret, and take precedence over templates defined in a\nSecretTransformation.", "type": [ "object", "null" ] }, "transformationRefs": { "description": "TransformationRefs contain references to template configuration from\nSecretTransformation.", "items": { "additionalProperties": false, "description": "TransformationRef contains the configuration for accessing templates from an\nSecretTransformation resource. TransformationRefs can be shared across all\nsyncable secret custom resources.", "properties": { "ignoreExcludes": { "description": "IgnoreExcludes controls whether to use the SecretTransformation's Excludes\ndata key filters.", "type": [ "boolean", "null" ] }, "ignoreIncludes": { "description": "IgnoreIncludes controls whether to use the SecretTransformation's Includes\ndata key filters.", "type": [ "boolean", "null" ] }, "name": { "description": "Name of the SecretTransformation resource.", "type": "string" }, "namespace": { "description": "Namespace of the SecretTransformation resource.", "type": [ "string", "null" ] }, "templateRefs": { "description": "TemplateRefs map to a Template found in this TransformationRef. If empty, then\nall templates from the SecretTransformation will be rendered to the K8s Secret.", "items": { "additionalProperties": false, "description": "TemplateRef points to templating text that is stored in a\nSecretTransformation custom resource.", "properties": { "keyOverride": { "description": "KeyOverride to the rendered template in the Destination secret. If Key is\nempty, then the Key from reference spec will be used. Set this to override the\nKey set from the reference spec.", "type": [ "string", "null" ] }, "name": { "description": "Name of the Template in SecretTransformationSpec.Templates.\nthe rendered secret data.", "type": "string" } }, "required": [ "name" ], "type": "object" }, "type": [ "array", "null" ] } }, "required": [ "name" ], "type": "object" }, "type": [ "array", "null" ] } }, "type": [ "object", "null" ] }, "type": { "description": "Type of the Vault static secret", "enum": [ "kv-v1", "kv-v2" ], "type": "string" }, "version": { "description": "Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter:\nhttps://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version", "minimum": 0, "type": [ "integer", "null" ] } }, "required": [ "mount", "path", "type" ], "type": "object" }, "type": [ "array", "null" ] } }, "type": "object" }, "syncConfig": { "additionalProperties": false, "description": "SyncConfig provides configuration for syncing the secret data with the CSI driver.", "properties": { "containerState": { "additionalProperties": false, "description": "ContainerState is the state of the container that the CSI driver always sync\non. This configuration is useful to sync when the last state of the container\nis in the terminated state and the restart count is greater than 0.", "properties": { "imagePattern": { "description": "ImagePattern of the container. Can be expressed as a regular expression.", "type": [ "string", "null" ] }, "namePattern": { "description": "NamePattern of the container. Can be expressed as a regular expression.", "type": [ "string", "null" ] } }, "type": "object" } }, "required": [ "containerState" ], "type": [ "object", "null" ] }, "vaultAuthRef": { "additionalProperties": false, "description": "VaultAuthRef is the reference to the VaultAuth resource.", "properties": { "name": { "description": "Name of the VaultAuth resource.", "type": "string" }, "namespace": { "description": "Namespace of the VaultAuth resource.", "type": [ "string", "null" ] }, "trustNamespace": { "description": "TrustNamespace of the referring VaultAuth resource. This means that any Vault\ncredentials will be provided by resources in the same namespace as the\nVaultAuth resource. Otherwise, the credentials will be provided by the secret\nresource's namespace.", "type": [ "boolean", "null" ] } }, "required": [ "name" ], "type": [ "object", "null" ] } }, "required": [ "accessControl", "secrets" ], "type": [ "object", "null" ] }, "status": { "additionalProperties": false, "description": "CSISecretsStatus defines the observed state of CSISecrets", "properties": { "conditions": { "description": "Conditions hold information that can be used by other apps to determine the\nhealth of the resource instance.", "items": { "additionalProperties": false, "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": [ "integer", "null" ] }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object" }, "type": [ "array", "null" ] } }, "type": [ "object", "null" ] } }, "type": "object" }