VaultDynamicSecret

secrets.hashicorp.com / v1beta1

apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

VaultDynamicSecretSpec defines the desired state of VaultDynamicSecret

allowStaticCreds boolean

AllowStaticCreds should be set when syncing credentials that are periodically rotated by the Vault server, rather than created upon request. These secrets are sometimes referred to as "static roles", or "static credentials", with a request path that contains "static-creds".

destination object required

Destination provides configuration necessary for syncing the Vault secret to Kubernetes.

annotations object

Annotations to apply to the Secret. Requires Create to be set to true.

create boolean

Create the destination Secret. If the Secret already exists this should be set to false.

labels object

Labels to apply to the Secret. Requires Create to be set to true.

name string required

Name of the Secret

overwrite boolean

Overwrite the destination Secret if it exists and Create is true. This is useful when migrating to VSO from a previous secret deployment strategy.

transformation object

Transformation provides configuration for transforming the secret data before it is stored in the Destination.

excludeRaw boolean

ExcludeRaw data from the destination Secret. Exclusion policy can be set globally by including 'exclude-raw` in the '--global-transformation-options' command line flag. If set, the command line flag always takes precedence over this configuration.

excludes []string

Excludes contains regex patterns used to filter top-level source secret data fields for exclusion from the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied before any inclusion patterns. To exclude all source secret data fields, you can configure the single pattern ".*".

includes []string

Includes contains regex patterns used to filter top-level source secret data fields for inclusion in the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied last.

templates object

Templates maps a template name to its Template. Templates are always included in the rendered K8s Secret, and take precedence over templates defined in a SecretTransformation.

transformationRefs []object

TransformationRefs contain references to template configuration from SecretTransformation.

ignoreExcludes boolean

IgnoreExcludes controls whether to use the SecretTransformation's Excludes data key filters.

ignoreIncludes boolean

IgnoreIncludes controls whether to use the SecretTransformation's Includes data key filters.

name string required

Name of the SecretTransformation resource.

namespace string

Namespace of the SecretTransformation resource.

templateRefs []object

TemplateRefs map to a Template found in this TransformationRef. If empty, then all templates from the SecretTransformation will be rendered to the K8s Secret.

keyOverride string

KeyOverride to the rendered template in the Destination secret. If Key is empty, then the Key from reference spec will be used. Set this to override the Key set from the reference spec.

name string required

Name of the Template in SecretTransformationSpec.Templates. the rendered secret data.

type string

Type of Kubernetes Secret. Requires Create to be set to true. Defaults to Opaque.

mount string required

Mount path of the secret's engine in Vault.

namespace string

Namespace of the secrets engine mount in Vault. If not set, the namespace that's part of VaultAuth resource will be inferred.

params object

Params that can be passed when requesting credentials/secrets. When Params is set the configured RequestHTTPMethod will be ignored. See RequestHTTPMethod for more details. Please consult https://developer.hashicorp.com/vault/docs/secrets if you are uncertain about what 'params' should/can be set to.

path string required

Path in Vault to get the credentials for, and is relative to Mount. Please consult https://developer.hashicorp.com/vault/docs/secrets if you are uncertain about what 'path' should be set to.

refreshAfter string

RefreshAfter a period of time for VSO to sync the source secret data, in duration notation e.g. 30s, 1m, 24h. This value only needs to be set when syncing from a secret's engine that does not provide a lease TTL in its response. The value should be within the secret engine's configured ttl or max_ttl. The source secret's lease duration takes precedence over this configuration when it is greater than 0.

pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$

renewalPercent integer

RenewalPercent is the percent out of 100 of the lease duration when the lease is renewed. Defaults to 67 percent plus jitter.

minimum: 0

maximum: 90

requestHTTPMethod string

RequestHTTPMethod to use when syncing Secrets from Vault. Setting a value here is not typically required. If left unset the Operator will make requests using the GET method. In the case where Params are specified the Operator will use the PUT method. Please consult https://developer.hashicorp.com/vault/docs/secrets if you are uncertain about what method to use. Of note, the Vault client treats PUT and POST as being equivalent. The underlying Vault client implementation will always use the PUT method.

enum: GET, POST, PUT

revoke boolean

Revoke the existing lease on VDS resource deletion.

rolloutRestartTargets []object

RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. See RolloutRestartTarget for more details.

kind string required

Kind of the resource

enum: Deployment, DaemonSet, StatefulSet, argo.Rollout

name string required

Name of the resource

vaultAuthRef string

VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to the namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the `default` VaultAuth, configured in the operator's namespace.

status object

VaultDynamicSecretStatus defines the observed state of VaultDynamicSecret

conditions []object

Conditions hold information that can be used by other apps to determine the health of the resource instance.

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase.

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

lastGeneration integer required

LastGeneration is the Generation of the last reconciled resource.

format: int64

lastRenewalTime integer required

LastRenewalTime of the last successful secret lease renewal.

format: int64

lastRuntimePodUID string

LastRuntimePodUID used for tracking the transition from one Pod to the next. It is used to mitigate the effects of a Vault lease renewal storm.

secretLease object required

SecretLease for the Vault secret.

duration integer required

LeaseDuration of the Vault secret.

id string required

ID of the Vault secret.

renewable boolean required

Renewable Vault secret lease

requestID string required

RequestID of the Vault secret request.

secretMAC string

SecretMAC used when deciding whether new Vault secret data should be synced. The controller will compare the "new" Vault secret data to this value using HMAC, if they are different, then the data will be synced to the Destination. The SecretMac is also used to detect drift in the Destination Secret's Data. If drift is detected the data will be synced to the Destination. SecretMAC will only be stored when VaultDynamicSecretSpec.AllowStaticCreds is true.

staticCredsMetaData object

StaticCredsMetaData contains the static creds response meta-data

lastVaultRotation integer required

LastVaultRotation represents the last time Vault rotated the password

format: int64

rotationPeriod integer required

RotationPeriod is number in seconds between each rotation, effectively a "time to live". This value is compared to the LastVaultRotation to determine if a password needs to be rotated

format: int64

rotationSchedule string

RotationSchedule is a "cron style" string representing the allowed schedule for each rotation. e.g. "1 0 * * *" would rotate at one minute past midnight (00:01) every day.

ttl integer required

TTL is the seconds remaining before the next rotation.

format: int64

vaultClientMeta object

VaultClientMeta contains the status of the Vault client and is used during resource reconciliation.

cacheKey string

CacheKey is the unique key used to identify the client cache.

id string

ID is the Vault ID of the authenticated client. The ID should never contain any sensitive information.

No matches. Try .spec.allowStaticCreds for an exact path