VaultStaticSecret

secrets.hashicorp.com / v1beta1

apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

VaultStaticSecretSpec defines the desired state of VaultStaticSecret

destination object required

Destination provides configuration necessary for syncing the Vault secret to Kubernetes.

annotations object

Annotations to apply to the Secret. Requires Create to be set to true.

create boolean

Create the destination Secret. If the Secret already exists this should be set to false.

labels object

Labels to apply to the Secret. Requires Create to be set to true.

name string required

Name of the Secret

overwrite boolean

Overwrite the destination Secret if it exists and Create is true. This is useful when migrating to VSO from a previous secret deployment strategy.

transformation object

Transformation provides configuration for transforming the secret data before it is stored in the Destination.

excludeRaw boolean

ExcludeRaw data from the destination Secret. Exclusion policy can be set globally by including 'exclude-raw` in the '--global-transformation-options' command line flag. If set, the command line flag always takes precedence over this configuration.

excludes []string

Excludes contains regex patterns used to filter top-level source secret data fields for exclusion from the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied before any inclusion patterns. To exclude all source secret data fields, you can configure the single pattern ".*".

includes []string

Includes contains regex patterns used to filter top-level source secret data fields for inclusion in the final K8s Secret data. These pattern filters are never applied to templated fields as defined in Templates. They are always applied last.

templates object

Templates maps a template name to its Template. Templates are always included in the rendered K8s Secret, and take precedence over templates defined in a SecretTransformation.

transformationRefs []object

TransformationRefs contain references to template configuration from SecretTransformation.

ignoreExcludes boolean

IgnoreExcludes controls whether to use the SecretTransformation's Excludes data key filters.

ignoreIncludes boolean

IgnoreIncludes controls whether to use the SecretTransformation's Includes data key filters.

name string required

Name of the SecretTransformation resource.

namespace string

Namespace of the SecretTransformation resource.

templateRefs []object

TemplateRefs map to a Template found in this TransformationRef. If empty, then all templates from the SecretTransformation will be rendered to the K8s Secret.

keyOverride string

KeyOverride to the rendered template in the Destination secret. If Key is empty, then the Key from reference spec will be used. Set this to override the Key set from the reference spec.

name string required

Name of the Template in SecretTransformationSpec.Templates. the rendered secret data.

type string

Type of Kubernetes Secret. Requires Create to be set to true. Defaults to Opaque.

hmacSecretData boolean

HMACSecretData determines whether the Operator computes the HMAC of the Secret's data. The MAC value will be stored in the resource's Status.SecretMac field, and will be used for drift detection and during incoming Vault secret comparison. Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault.

mount string required

Mount for the secret in Vault

namespace string

Namespace of the secrets engine mount in Vault. If not set, the namespace that's part of VaultAuth resource will be inferred.

path string required

Path of the secret in Vault, corresponds to the `path` parameter for: kv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret kv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version

refreshAfter string

RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h

pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$

rolloutRestartTargets []object

RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. All configured targets will be ignored if HMACSecretData is set to false. See RolloutRestartTarget for more details.

kind string required

Kind of the resource

enum: Deployment, DaemonSet, StatefulSet, argo.Rollout

name string required

Name of the resource

syncConfig object

SyncConfig configures sync behavior from Vault to VSO

instantUpdates boolean

InstantUpdates is a flag to indicate that event-driven updates are enabled for this VaultStaticSecret

type string required

Type of the Vault static secret

enum: kv-v1, kv-v2

vaultAuthRef string

VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to the namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the `default` VaultAuth, configured in the operator's namespace.

version integer

Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version

minimum: 0

status object

VaultStaticSecretStatus defines the observed state of VaultStaticSecret

conditions []object

Conditions hold information that can be used by other apps to determine the health of the resource instance.

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase.

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

lastGeneration integer required

LastGeneration is the Generation of the last reconciled resource.

format: int64

secretMAC string

SecretMAC used when deciding whether new Vault secret data should be synced. The controller will compare the "new" Vault secret data to this value using HMAC, if they are different, then the data will be synced to the Destination. The SecretMac is also used to detect drift in the Destination Secret's Data. If drift is detected the data will be synced to the Destination.

vaultClientMeta object

VaultClientMeta contains the status of the Vault client and is used during resource reconciliation.

cacheKey string

CacheKey is the unique key used to identify the client cache.

id string

ID is the Vault ID of the authenticated client. The ID should never contain any sensitive information.

No matches. Try .spec.destination for an exact path