HCPAuth
secrets.hashicorp.com / v1beta1
apiVersion: secrets.hashicorp.com/v1beta1
kind: HCPAuth
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
HCPAuthSpec defines the desired state of HCPAuth
allowedNamespaces
[]string
AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod.
This field allows administrators to customize which Kubernetes namespaces are authorized to
use with this AuthMethod. While Vault will still enforce its own rules, this has the added
configurability of restricting which HCPAuthMethods can be used by which namespaces.
Accepted values:
[]{"*"} - wildcard, all namespaces.
[]{"a", "b"} - list of namespaces.
unset - disallow all namespaces except the Operator's the HCPAuthMethod's namespace, this
is the default behavior.
method
string
Method to use when authenticating to Vault.
enum:
servicePrincipal
organizationID
string required
OrganizationID of the HCP organization.
projectID
string required
ProjectID of the HCP project.
servicePrincipal object
ServicePrincipal provides the necessary configuration for authenticating to
HCP using a service principal. For security reasons, only project-level
service principals should ever be used.
secretRef
string required
SecretRef is the name of a Kubernetes secret in the consumer's
(VDS/VSS/PKI/HCP) namespace which provides the HCP ServicePrincipal clientID,
and clientSecret.
The secret data must have the following structure {
"clientID": "clientID",
"clientSecret": "clientSecret",
}
status object
HCPAuthStatus defines the observed state of HCPAuth
conditions []object
Conditions hold information that can be used by other apps to determine the
health of the resource instance.
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316
error
string required
valid
boolean required
Valid auth mechanism.
No matches. Try .spec.allowedNamespaces for an exact path