HCPVaultSecretsApp

secrets.hashicorp.com / v1beta1

apiVersion: secrets.hashicorp.com/v1beta1 kind: HCPVaultSecretsApp metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

HCPVaultSecretsAppSpec defines the desired state of HCPVaultSecretsApp

appName string required

AppName of the Vault Secrets Application that is to be synced.

destination object required

Destination provides configuration necessary for syncing the HCP Vault Application secrets to Kubernetes.

annotations object

Annotations to apply to the Secret. Requires Create to be set to true.

create boolean

Create the destination Secret. If the Secret already exists this should be set to false.

labels object

Labels to apply to the Secret. Requires Create to be set to true.

name string required

Name of the Secret

overwrite boolean

Overwrite the destination Secret if it exists and Create is true. This is useful when migrating to VSO from a previous secret deployment strategy.

transformation object

Transformation provides configuration for transforming the secret data before it is stored in the Destination.

excludeRaw boolean

ExcludeRaw data from the destination Secret. Exclusion policy can be set globally by including 'exclude-raw` in the '--global-transformation-options' command line flag. If set, the command line flag always takes precedence over this configuration.

excludes []string

Excludes contains regex patterns used to filter top-level source secret data fields for exclusion from the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied before any inclusion patterns. To exclude all source secret data fields, you can configure the single pattern ".*".

includes []string

Includes contains regex patterns used to filter top-level source secret data fields for inclusion in the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied last.

templates object

Templates maps a template name to its Template. Templates are always included in the rendered K8s Secret, and take precedence over templates defined in a SecretTransformation.

transformationRefs []object

TransformationRefs contain references to template configuration from SecretTransformation.

ignoreExcludes boolean

IgnoreExcludes controls whether to use the SecretTransformation's Excludes data key filters.

ignoreIncludes boolean

IgnoreIncludes controls whether to use the SecretTransformation's Includes data key filters.

name string required

Name of the SecretTransformation resource.

namespace string

Namespace of the SecretTransformation resource.

templateRefs []object

TemplateRefs map to a Template found in this TransformationRef. If empty, then all templates from the SecretTransformation will be rendered to the K8s Secret.

keyOverride string

KeyOverride to the rendered template in the Destination secret. If Key is empty, then the Key from reference spec will be used. Set this to override the Key set from the reference spec.

name string required

Name of the Template in SecretTransformationSpec.Templates. the rendered secret data.

type string

Type of Kubernetes Secret. Requires Create to be set to true. Defaults to Opaque.

hcpAuthRef string

HCPAuthRef to the HCPAuth resource, can be prefixed with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to the namespace of the HCPAuth CR. If no value is specified for HCPAuthRef the Operator will default to the `default` HCPAuth, configured in the operator's namespace.

refreshAfter string

RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h

pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$

rolloutRestartTargets []object

RolloutRestartTargets should be configured whenever the application(s) consuming the HCP Vault Secrets App does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. See RolloutRestartTarget for more details.

kind string required

Kind of the resource

enum: Deployment, DaemonSet, StatefulSet, argo.Rollout

name string required

Name of the resource

syncConfig object

SyncConfig configures sync behavior from HVS to VSO

dynamic object

Dynamic configures sync behavior for dynamic secrets.

renewalPercent integer

RenewalPercent is the percent out of 100 of a dynamic secret's TTL when new secrets are generated. Defaults to 67 percent plus up to 10% jitter.

minimum: 0

maximum: 90

status object

HCPVaultSecretsAppStatus defines the observed state of HCPVaultSecretsApp

conditions []object

Conditions hold information that can be used by other apps to determine the health of the resource instance.

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase.

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

dynamicSecrets []object

DynamicSecrets lists the last observed state of any dynamic secrets within the HCP Vault Secrets App

createdAt string

CreatedAt is the timestamp string of when the dynamic secret was created

expiresAt string

ExpiresAt is the timestamp string of when the dynamic secret will expire

name string

Name of the dynamic secret

ttl string

TTL is the time-to-live of the dynamic secret in seconds

lastGeneration integer required

LastGeneration is the Generation of the last reconciled resource.

format: int64

secretMAC string

SecretMAC used when deciding whether new Vault secret data should be synced. The controller will compare the "new" HCP Vault Secrets App data to this value using HMAC, if they are different, then the data will be synced to the Destination. The SecretMac is also used to detect drift in the Destination Secret's Data. If drift is detected the data will be synced to the Destination.

No matches. Try .spec.appName for an exact path