VaultAuth

secrets.hashicorp.com / v1beta1

apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultAuth metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

VaultAuthSpec defines the desired state of VaultAuth

allowedNamespaces []string

AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod. This field allows administrators to customize which Kubernetes namespaces are authorized to use with this AuthMethod. While Vault will still enforce its own rules, this has the added configurability of restricting which VaultAuthMethods can be used by which namespaces. You only need to set allowedNamespaces when you want to control access from a resource in a different namespace than the VaultAuth it references. Secret resources in the same namespace as the VaultAuth bypass this check. Accepted values: []{"*"} - wildcard, all namespaces. []{"a", "b"} - list of namespaces. unset - disallow all namespaces except the Operator's the VaultAuthMethod's namespace, this is the default behavior.

appRole object

AppRole specific auth configuration, requires that the Method be set to `appRole`.

roleId string

RoleID of the AppRole Role to use for authenticating to Vault.

secretIDPath string

SecretIDPath is a file system path pointing to a file containing the plaintext Secret ID for the AppRole Role to use for authenticating to Vault. SecretIDPath and SecretRef are mutually exclusive, and only one should be specified.

secretRef string

SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the AppRole Role's secretID. SecretIDPath and SecretRef are mutually exclusive, and only one should be specified.

aws object

AWS specific auth configuration, requires that Method be set to `aws`.

headerValue string

The Vault header value to include in the STS signing request

iamEndpoint string

The IAM endpoint to use; if not set will use the default

irsaServiceAccount string

IRSAServiceAccount name to use with IAM Roles for Service Accounts (IRSA), and should be annotated with "eks.amazonaws.com/role-arn". This ServiceAccount will be checked for other EKS annotations: eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration

region string

AWS Region to use for signing the authentication request

role string

Vault role to use for authenticating

secretRef string

SecretRef is the name of a Kubernetes Secret in the consumer's (VDS/VSS/PKI) namespace which holds credentials for AWS. Expected keys include `access_key_id`, `secret_access_key`, `session_token`

sessionName string

The role session name to use when creating a webidentity provider

stsEndpoint string

The STS endpoint to use; if not set will use the default

gcp object

GCP specific auth configuration, requires that Method be set to `gcp`.

clusterName string

GKE cluster name. Defaults to the cluster-name returned from the operator pod's local metadata server.

projectID string

GCP project ID. Defaults to the project-id returned from the operator pod's local metadata server.

region string

GCP Region of the GKE cluster's identity provider. Defaults to the region returned from the operator pod's local metadata server.

role string

Vault role to use for authenticating

workloadIdentityServiceAccount string

WorkloadIdentityServiceAccount is the name of a Kubernetes service account (in the same Kubernetes namespace as the Vault*Secret referencing this resource) which has been configured for workload identity in GKE. Should be annotated with "iam.gke.io/gcp-service-account".

headers object

Headers to be included in all Vault requests.

jwt object

JWT specific auth configuration, requires that the Method be set to `jwt`.

audiences []string

TokenAudiences to include in the ServiceAccount token.

role string

Role to use for authenticating to Vault.

secretRef string

SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must have a key named `jwt` which holds the JWT token.

serviceAccount string

ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's JWT authentication backend.

tokenExpirationSeconds integer

TokenExpirationSeconds to set the ServiceAccount token.

format: int64

minimum: 600

kubernetes object

Kubernetes specific auth configuration, requires that the Method be set to `kubernetes`.

audiences []string

TokenAudiences to include in the ServiceAccount token.

role string

Role to use for authenticating to Vault.

serviceAccount string

ServiceAccount to use when authenticating to Vault's authentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace.

tokenExpirationSeconds integer

TokenExpirationSeconds to set the ServiceAccount token.

format: int64

minimum: 600

method string

Method to use when authenticating to Vault.

enum: kubernetes, jwt, appRole, aws, gcp

mount string

Mount to use when authenticating to auth method.

namespace string

Namespace to auth to in Vault

params object

Params to use when authenticating to Vault

storageEncryption object

StorageEncryption provides the necessary configuration to encrypt the client storage cache. This should only be configured when client cache persistence with encryption is enabled. This is done by passing setting the manager's commandline argument --client-cache-persistence-model=direct-encrypted. Typically, there should only ever be one VaultAuth configured with StorageEncryption in the Cluster, and it should have the label: cacheStorageEncryption=true

keyName string required

KeyName to use for encrypt/decrypt operations via Vault Transit.

mount string required

Mount path of the Transit engine in Vault.

vaultAuthGlobalRef object

VaultAuthGlobalRef.

allowDefault boolean

AllowDefault when set to true will use the default VaultAuthGlobal resource as the default if Name is not set. The 'allow-default-globals' option must be set on the operator's '-global-vault-auth-options' flag The default VaultAuthGlobal search is conditional. When a ref Namespace is set, the search for the default VaultAuthGlobal resource is constrained to that namespace. Otherwise, the search order is: 1. The default VaultAuthGlobal resource in the referring VaultAuth resource's namespace. 2. The default VaultAuthGlobal resource in the Operator's namespace.

mergeStrategy object

MergeStrategy configures the merge strategy for HTTP headers and parameters that are included in all Vault authentication requests.

headers string

Headers configures the merge strategy for HTTP headers that are included in all Vault requests. Choices are `union`, `replace`, or `none`. If `union` is set, the headers from the VaultAuthGlobal and VaultAuth resources are merged. The headers from the VaultAuth always take precedence. If `replace` is set, the first set of non-empty headers taken in order from: VaultAuth, VaultAuthGlobal auth method, VaultGlobal default headers. If `none` is set, the headers from the VaultAuthGlobal resource are ignored and only the headers from the VaultAuth resource are used. The default is `none`.

enum: union, replace, none

params string

Params configures the merge strategy for HTTP parameters that are included in all Vault requests. Choices are `union`, `replace`, or `none`. If `union` is set, the parameters from the VaultAuthGlobal and VaultAuth resources are merged. The parameters from the VaultAuth always take precedence. If `replace` is set, the first set of non-empty parameters taken in order from: VaultAuth, VaultAuthGlobal auth method, VaultGlobal default parameters. If `none` is set, the parameters from the VaultAuthGlobal resource are ignored and only the parameters from the VaultAuth resource are used. The default is `none`.

enum: union, replace, none

name string

Name of the VaultAuthGlobal resource.

pattern: ^([a-z0-9.-]{1,253})$

namespace string

Namespace of the VaultAuthGlobal resource. If not provided, the namespace of the referring VaultAuth resource is used.

pattern: ^([a-z0-9-]{1,63})$

vaultConnectionRef string

VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace, eg: `namespaceA/vaultConnectionRefB`. If no namespace prefix is provided it will default to the namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the Operator will default to the `default` VaultConnection, configured in the operator's namespace.

status object

VaultAuthStatus defines the observed state of VaultAuth

conditions []object

Conditions hold information that can be used by other apps to determine the health of the resource instance.

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase.

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

error string

Error is a human-readable error message indicating why the VaultAuth is invalid.

specHash string

SpecHash is a SHA256 hash of the spec, used to determine if the spec has changed.

valid boolean

Valid auth mechanism.

No matches. Try .spec.allowedNamespaces for an exact path