VaultPKISecret

secrets.hashicorp.com / v1beta1

apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultPKISecret metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

VaultPKISecretSpec defines the desired state of VaultPKISecret

altNames []string

AltNames to include in the request May contain both DNS names and email addresses.

clear boolean

Clear the Kubernetes secret when the resource is deleted.

commonName string

CommonName to include in the request.

destination object required

Destination provides configuration necessary for syncing the Vault secret to Kubernetes. If the type is set to "kubernetes.io/tls", "tls.key" will be set to the "private_key" response from Vault, and "tls.crt" will be set to "certificate" + "ca_chain" from the Vault response ("issuing_ca" is used when "ca_chain" is empty). The "remove_roots_from_chain=true" option is used with Vault to exclude the root CA from the Vault response.

annotations object

Annotations to apply to the Secret. Requires Create to be set to true.

create boolean

Create the destination Secret. If the Secret already exists this should be set to false.

labels object

Labels to apply to the Secret. Requires Create to be set to true.

name string required

Name of the Secret

overwrite boolean

Overwrite the destination Secret if it exists and Create is true. This is useful when migrating to VSO from a previous secret deployment strategy.

transformation object

Transformation provides configuration for transforming the secret data before it is stored in the Destination.

excludeRaw boolean

ExcludeRaw data from the destination Secret. Exclusion policy can be set globally by including 'exclude-raw` in the '--global-transformation-options' command line flag. If set, the command line flag always takes precedence over this configuration.

excludes []string

Excludes contains regex patterns used to filter top-level source secret data fields for exclusion from the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied before any inclusion patterns. To exclude all source secret data fields, you can configure the single pattern ".*".

includes []string

Includes contains regex patterns used to filter top-level source secret data fields for inclusion in the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied last.

templates object

Templates maps a template name to its Template. Templates are always included in the rendered K8s Secret, and take precedence over templates defined in a SecretTransformation.

transformationRefs []object

TransformationRefs contain references to template configuration from SecretTransformation.

ignoreExcludes boolean

IgnoreExcludes controls whether to use the SecretTransformation's Excludes data key filters.

ignoreIncludes boolean

IgnoreIncludes controls whether to use the SecretTransformation's Includes data key filters.

name string required

Name of the SecretTransformation resource.

namespace string

Namespace of the SecretTransformation resource.

templateRefs []object

TemplateRefs map to a Template found in this TransformationRef. If empty, then all templates from the SecretTransformation will be rendered to the K8s Secret.

keyOverride string

KeyOverride to the rendered template in the Destination secret. If Key is empty, then the Key from reference spec will be used. Set this to override the Key set from the reference spec.

name string required

Name of the Template in SecretTransformationSpec.Templates. the rendered secret data.

type string

Type of Kubernetes Secret. Requires Create to be set to true. Defaults to Opaque.

excludeCNFromSans boolean

ExcludeCNFromSans from DNS or Email Subject Alternate Names. Default: false

expiryOffset string

ExpiryOffset to use for computing when the certificate should be renewed. The rotation time will be difference between the expiration and the offset. Should be in duration notation e.g. 30s, 120s, etc.

pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$

format string

Format for the certificate. Choices: "pem", "der", "pem_bundle". If "pem_bundle", any private key and issuing cert will be appended to the certificate pem. If "der", the value will be base64 encoded. Default: pem

ipSans []string

IPSans to include in the request.

issuerRef string

IssuerRef reference to an existing PKI issuer, either by Vault-generated identifier, the literal string default to refer to the currently configured default issuer, or the name assigned to an issuer. This parameter is part of the request URL.

mount string required

Mount for the secret in Vault

namespace string

Namespace of the secrets engine mount in Vault. If not set, the namespace that's part of VaultAuth resource will be inferred.

notAfter string

NotAfter field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ

otherSans []string

Requested other SANs, in an array with the format oid;type:value for each entry.

privateKeyFormat string

PrivateKeyFormat, generally the default will be controlled by the Format parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Default: der

revoke boolean

Revoke the certificate when the resource is deleted.

role string required

Role in Vault to use when issuing TLS certificates.

rolloutRestartTargets []object

RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. See RolloutRestartTarget for more details.

kind string required

Kind of the resource

enum: Deployment, DaemonSet, StatefulSet, argo.Rollout

name string required

Name of the resource

ttl string

TTL for the certificate; sets the expiration date. If not specified the Vault role's default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount's max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA. Should be in duration notation e.g. 120s, 2h, etc.

pattern: ^([0-9]+(\.[0-9]+)?(s|m|h|d))$

uriSans []string

The requested URI SANs.

userIDs []string

User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the signed certificate.

vaultAuthRef string

VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to the namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the `default` VaultAuth, configured in the operator's namespace.

status object

VaultPKISecretStatus defines the observed state of VaultPKISecret

conditions []object

Conditions hold information that can be used by other apps to determine the health of the resource instance.

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase.

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

error string required

expiration integer

format: int64

lastGeneration integer required

LastGeneration is the Generation of the last reconciled resource.

format: int64

lastRotation integer required

LastLastRotation of the certificate.

format: int64

secretMAC string

SecretMAC used when deciding whether new Vault secret data should be synced. The controller will compare the "new" Vault secret data to this value using HMAC, if they are different, then the data will be synced to the Destination. The SecretMac is also used to detect drift in the Destination Secret's Data. If drift is detected the data will be synced to the Destination.

serialNumber string

valid boolean required

No matches. Try .spec.altNames for an exact path