{ "description": "HCPAuth is the Schema for the hcpauths API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "HCPAuthSpec defines the desired state of HCPAuth", "properties": { "allowedNamespaces": { "description": "AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod.\nThis field allows administrators to customize which Kubernetes namespaces are authorized to\nuse with this AuthMethod. While Vault will still enforce its own rules, this has the added\nconfigurability of restricting which HCPAuthMethods can be used by which namespaces.\nAccepted values:\n[]{\"*\"} - wildcard, all namespaces.\n[]{\"a\", \"b\"} - list of namespaces.\nunset - disallow all namespaces except the Operator's the HCPAuthMethod's namespace, this\nis the default behavior.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "method": { "default": "servicePrincipal", "description": "Method to use when authenticating to Vault.", "enum": [ "servicePrincipal" ], "type": [ "string", "null" ] }, "organizationID": { "description": "OrganizationID of the HCP organization.", "type": "string" }, "projectID": { "description": "ProjectID of the HCP project.", "type": "string" }, "servicePrincipal": { "additionalProperties": false, "description": "ServicePrincipal provides the necessary configuration for authenticating to\nHCP using a service principal. For security reasons, only project-level\nservice principals should ever be used.", "properties": { "secretRef": { "description": "SecretRef is the name of a Kubernetes secret in the consumer's\n(VDS/VSS/PKI/HCP) namespace which provides the HCP ServicePrincipal clientID,\nand clientSecret.\nThe secret data must have the following structure {\n \"clientID\": \"clientID\",\n \"clientSecret\": \"clientSecret\",\n}", "type": "string" } }, "required": [ "secretRef" ], "type": [ "object", "null" ] } }, "required": [ "organizationID", "projectID" ], "type": [ "object", "null" ] }, "status": { "additionalProperties": false, "description": "HCPAuthStatus defines the observed state of HCPAuth", "properties": { "conditions": { "description": "Conditions hold information that can be used by other apps to determine the\nhealth of the resource instance.", "items": { "additionalProperties": false, "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": [ "integer", "null" ] }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object" }, "type": [ "array", "null" ] }, "error": { "type": "string" }, "valid": { "description": "Valid auth mechanism.", "type": "boolean" } }, "required": [ "error", "valid" ], "type": [ "object", "null" ] } }, "type": "object" }