Skip to search

VaultAuthGlobal

secrets.hashicorp.com / v1beta1

apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultAuthGlobal metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
VaultAuthGlobalSpec defines the desired state of VaultAuthGlobal
allowedNamespaces []string
AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this VaultAuthGlobal. This field allows administrators to customize which Kubernetes namespaces are authorized to reference this resource. While Vault will still enforce its own rules, this has the added configurability of restricting which VaultAuthMethods can be used by which namespaces. Accepted values: []{"*"} - wildcard, all namespaces. []{"a", "b"} - list of namespaces. unset - disallow all namespaces except the Operator's and the referring VaultAuthMethod's namespace, this is the default behavior.
appRole object
AppRole specific auth configuration, requires that the Method be set to `appRole`.
headers object
Headers to be included in all Vault requests.
mount string
Mount to use when authenticating to auth method.
namespace string
Namespace to auth to in Vault
params object
Params to use when authenticating to Vault
roleId string
RoleID of the AppRole Role to use for authenticating to Vault.
secretIDPath string
SecretIDPath is a file system path pointing to a file containing the plaintext Secret ID for the AppRole Role to use for authenticating to Vault. SecretIDPath and SecretRef are mutually exclusive, and only one should be specified.
secretRef string
SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the AppRole Role's secretID. SecretIDPath and SecretRef are mutually exclusive, and only one should be specified.
aws object
AWS specific auth configuration, requires that Method be set to `aws`.
headerValue string
The Vault header value to include in the STS signing request
headers object
Headers to be included in all Vault requests.
iamEndpoint string
The IAM endpoint to use; if not set will use the default
irsaServiceAccount string
IRSAServiceAccount name to use with IAM Roles for Service Accounts (IRSA), and should be annotated with "eks.amazonaws.com/role-arn". This ServiceAccount will be checked for other EKS annotations: eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration
mount string
Mount to use when authenticating to auth method.
namespace string
Namespace to auth to in Vault
params object
Params to use when authenticating to Vault
region string
AWS Region to use for signing the authentication request
role string
Vault role to use for authenticating
secretRef string
SecretRef is the name of a Kubernetes Secret in the consumer's (VDS/VSS/PKI) namespace which holds credentials for AWS. Expected keys include `access_key_id`, `secret_access_key`, `session_token`
sessionName string
The role session name to use when creating a webidentity provider
stsEndpoint string
The STS endpoint to use; if not set will use the default
defaultAuthMethod string
DefaultAuthMethod to use when authenticating to Vault.
enum: kubernetes, jwt, appRole, aws, gcp
defaultMount string
DefaultMount to use when authenticating to auth method. If not specified the mount of the auth method configured in Vault will be used.
defaultVaultNamespace string
DefaultVaultNamespace to auth to in Vault, if not specified the namespace of the auth method will be used. This can be used as a default Vault namespace for all auth methods.
gcp object
GCP specific auth configuration, requires that Method be set to `gcp`.
clusterName string
GKE cluster name. Defaults to the cluster-name returned from the operator pod's local metadata server.
headers object
Headers to be included in all Vault requests.
mount string
Mount to use when authenticating to auth method.
namespace string
Namespace to auth to in Vault
params object
Params to use when authenticating to Vault
projectID string
GCP project ID. Defaults to the project-id returned from the operator pod's local metadata server.
region string
GCP Region of the GKE cluster's identity provider. Defaults to the region returned from the operator pod's local metadata server.
role string
Vault role to use for authenticating
workloadIdentityServiceAccount string
WorkloadIdentityServiceAccount is the name of a Kubernetes service account (in the same Kubernetes namespace as the Vault*Secret referencing this resource) which has been configured for workload identity in GKE. Should be annotated with "iam.gke.io/gcp-service-account".
headers object
DefaultHeaders to be included in all Vault requests.
jwt object
JWT specific auth configuration, requires that the Method be set to `jwt`.
audiences []string
TokenAudiences to include in the ServiceAccount token.
headers object
Headers to be included in all Vault requests.
mount string
Mount to use when authenticating to auth method.
namespace string
Namespace to auth to in Vault
params object
Params to use when authenticating to Vault
role string
Role to use for authenticating to Vault.
secretRef string
SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must have a key named `jwt` which holds the JWT token.
serviceAccount string
ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's JWT authentication backend.
tokenExpirationSeconds integer
TokenExpirationSeconds to set the ServiceAccount token.
format: int64
minimum: 600
kubernetes object
Kubernetes specific auth configuration, requires that the Method be set to `kubernetes`.
audiences []string
TokenAudiences to include in the ServiceAccount token.
headers object
Headers to be included in all Vault requests.
mount string
Mount to use when authenticating to auth method.
namespace string
Namespace to auth to in Vault
params object
Params to use when authenticating to Vault
role string
Role to use for authenticating to Vault.
serviceAccount string
ServiceAccount to use when authenticating to Vault's authentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace.
tokenExpirationSeconds integer
TokenExpirationSeconds to set the ServiceAccount token.
format: int64
minimum: 600
params object
DefaultParams to use when authenticating to Vault
vaultConnectionRef string
VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace, eg: `namespaceA/vaultConnectionRefB`. If no namespace prefix is provided it will default to the namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the Operator will default to the `default` VaultConnection, configured in the operator's namespace.
status object
VaultAuthGlobalStatus defines the observed state of VaultAuthGlobal
error string required
valid boolean required
Valid auth mechanism.

No matches. Try .spec.allowedNamespaces for an exact path