{ "description": "VaultStaticSecret is the Schema for the vaultstaticsecrets API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "VaultStaticSecretSpec defines the desired state of VaultStaticSecret", "properties": { "destination": { "additionalProperties": false, "description": "Destination provides configuration necessary for syncing the Vault secret to Kubernetes.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations to apply to the Secret. Requires Create to be set to true.", "type": [ "object", "null" ] }, "create": { "default": false, "description": "Create the destination Secret.\nIf the Secret already exists this should be set to false.", "type": [ "boolean", "null" ] }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels to apply to the Secret. Requires Create to be set to true.", "type": [ "object", "null" ] }, "name": { "description": "Name of the Secret", "type": "string" }, "overwrite": { "default": false, "description": "Overwrite the destination Secret if it exists and Create is true. This is\nuseful when migrating to VSO from a previous secret deployment strategy.", "type": [ "boolean", "null" ] }, "transformation": { "additionalProperties": false, "description": "Transformation provides configuration for transforming the secret data before\nit is stored in the Destination.", "properties": { "excludeRaw": { "description": "ExcludeRaw data from the destination Secret. Exclusion policy can be set\nglobally by including 'exclude-raw` in the '--global-transformation-options'\ncommand line flag. If set, the command line flag always takes precedence over\nthis configuration.", "type": [ "boolean", "null" ] }, "excludes": { "description": "Excludes contains regex patterns used to filter top-level source secret data\nfields for exclusion from the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied before any inclusion patterns. To exclude all source secret data\nfields, you can configure the single pattern \".*\".", "items": { "type": "string" }, "type": [ "array", "null" ] }, "includes": { "description": "Includes contains regex patterns used to filter top-level source secret data\nfields for inclusion in the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied last.", "items": { "type": "string" }, "type": [ "array", "null" ] }, "templates": { "additionalProperties": { "additionalProperties": false, "description": "Template provides templating configuration.", "properties": { "name": { "description": "Name of the Template", "type": [ "string", "null" ] }, "text": { "description": "Text contains the Go text template format. The template\nreferences attributes from the data structure of the source secret.\nRefer to https://pkg.go.dev/text/template for more information.", "type": "string" } }, "required": [ "text" ], "type": "object" }, "description": "Templates maps a template name to its Template. Templates are always included\nin the rendered K8s Secret, and take precedence over templates defined in a\nSecretTransformation.", "type": [ "object", "null" ] }, "transformationRefs": { "description": "TransformationRefs contain references to template configuration from\nSecretTransformation.", "items": { "additionalProperties": false, "description": "TransformationRef contains the configuration for accessing templates from an\nSecretTransformation resource. TransformationRefs can be shared across all\nsyncable secret custom resources.", "properties": { "ignoreExcludes": { "description": "IgnoreExcludes controls whether to use the SecretTransformation's Excludes\ndata key filters.", "type": [ "boolean", "null" ] }, "ignoreIncludes": { "description": "IgnoreIncludes controls whether to use the SecretTransformation's Includes\ndata key filters.", "type": [ "boolean", "null" ] }, "name": { "description": "Name of the SecretTransformation resource.", "type": "string" }, "namespace": { "description": "Namespace of the SecretTransformation resource.", "type": [ "string", "null" ] }, "templateRefs": { "description": "TemplateRefs map to a Template found in this TransformationRef. If empty, then\nall templates from the SecretTransformation will be rendered to the K8s Secret.", "items": { "additionalProperties": false, "description": "TemplateRef points to templating text that is stored in a\nSecretTransformation custom resource.", "properties": { "keyOverride": { "description": "KeyOverride to the rendered template in the Destination secret. If Key is\nempty, then the Key from reference spec will be used. Set this to override the\nKey set from the reference spec.", "type": [ "string", "null" ] }, "name": { "description": "Name of the Template in SecretTransformationSpec.Templates.\nthe rendered secret data.", "type": "string" } }, "required": [ "name" ], "type": "object" }, "type": [ "array", "null" ] } }, "required": [ "name" ], "type": "object" }, "type": [ "array", "null" ] } }, "type": [ "object", "null" ] }, "type": { "description": "Type of Kubernetes Secret. Requires Create to be set to true.\nDefaults to Opaque.", "type": [ "string", "null" ] } }, "required": [ "name" ], "type": "object" }, "hmacSecretData": { "default": true, "description": "HMACSecretData determines whether the Operator computes the\nHMAC of the Secret's data. The MAC value will be stored in\nthe resource's Status.SecretMac field, and will be used for drift detection\nand during incoming Vault secret comparison.\nEnabling this feature is recommended to ensure that Secret's data stays consistent with Vault.", "type": [ "boolean", "null" ] }, "mount": { "description": "Mount for the secret in Vault", "type": "string" }, "namespace": { "description": "Namespace of the secrets engine mount in Vault. If not set, the namespace that's\npart of VaultAuth resource will be inferred.", "type": [ "string", "null" ] }, "path": { "description": "Path of the secret in Vault, corresponds to the `path` parameter for:\nkv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret\nkv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version", "type": "string" }, "refreshAfter": { "description": "RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h", "pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h))$", "type": [ "string", "null" ] }, "rolloutRestartTargets": { "description": "RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does\nnot support dynamically reloading a rotated secret.\nIn that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will\ntrigger a \"rollout-restart\" for each target whenever the Vault secret changes between reconciliation events.\nAll configured targets will be ignored if HMACSecretData is set to false.\nSee RolloutRestartTarget for more details.", "items": { "additionalProperties": false, "description": "RolloutRestartTarget provides the configuration required to perform a\nrollout-restart of the supported resources upon Vault Secret rotation.\nThe rollout-restart is triggered by patching the target resource's\n'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt'\nwith a timestamp value of when the trigger was executed.\nE.g. vso.secrets.hashicorp.com/restartedAt: \"2023-03-23T13:39:31Z\"\n\nSupported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout", "properties": { "kind": { "description": "Kind of the resource", "enum": [ "Deployment", "DaemonSet", "StatefulSet", "argo.Rollout" ], "type": "string" }, "name": { "description": "Name of the resource", "type": "string" } }, "required": [ "kind", "name" ], "type": "object" }, "type": [ "array", "null" ] }, "syncConfig": { "additionalProperties": false, "description": "SyncConfig configures sync behavior from Vault to VSO", "properties": { "instantUpdates": { "description": "InstantUpdates is a flag to indicate that event-driven updates are\nenabled for this VaultStaticSecret", "type": [ "boolean", "null" ] } }, "type": [ "object", "null" ] }, "type": { "description": "Type of the Vault static secret", "enum": [ "kv-v1", "kv-v2" ], "type": "string" }, "vaultAuthRef": { "description": "VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace,\neg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to the\nnamespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will\ndefault to the `default` VaultAuth, configured in the operator's namespace.", "type": [ "string", "null" ] }, "version": { "description": "Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter:\nhttps://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version", "minimum": 0, "type": [ "integer", "null" ] } }, "required": [ "destination", "mount", "path", "type" ], "type": [ "object", "null" ] }, "status": { "additionalProperties": false, "description": "VaultStaticSecretStatus defines the observed state of VaultStaticSecret", "properties": { "conditions": { "description": "Conditions hold information that can be used by other apps to determine the\nhealth of the resource instance.", "items": { "additionalProperties": false, "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": [ "integer", "null" ] }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object" }, "type": [ "array", "null" ] }, "lastGeneration": { "description": "LastGeneration is the Generation of the last reconciled resource.", "format": "int64", "type": "integer" }, "secretMAC": { "description": "SecretMAC used when deciding whether new Vault secret data should be synced.\n\nThe controller will compare the \"new\" Vault secret data to this value using HMAC,\nif they are different, then the data will be synced to the Destination.\n\nThe SecretMac is also used to detect drift in the Destination Secret's Data.\nIf drift is detected the data will be synced to the Destination.", "type": [ "string", "null" ] }, "vaultClientMeta": { "additionalProperties": false, "description": "VaultClientMeta contains the status of the Vault client and is used during\nresource reconciliation.", "properties": { "cacheKey": { "description": "CacheKey is the unique key used to identify the client cache.", "type": [ "string", "null" ] }, "id": { "description": "ID is the Vault ID of the authenticated client. The ID should never contain\nany sensitive information.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] } }, "required": [ "lastGeneration" ], "type": [ "object", "null" ] } }, "type": "object" }