{ "description": "HCPVaultSecretsApp is the Schema for the hcpvaultsecretsapps API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "HCPVaultSecretsAppSpec defines the desired state of HCPVaultSecretsApp", "properties": { "appName": { "description": "AppName of the Vault Secrets Application that is to be synced.", "type": "string" }, "destination": { "description": "Destination provides configuration necessary for syncing the HCP Vault\nApplication secrets to Kubernetes.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations to apply to the Secret. Requires Create to be set to true.", "type": "object" }, "create": { "default": false, "description": "Create the destination Secret.\nIf the Secret already exists this should be set to false.", "type": "boolean" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels to apply to the Secret. Requires Create to be set to true.", "type": "object" }, "name": { "description": "Name of the Secret", "type": "string" }, "overwrite": { "default": false, "description": "Overwrite the destination Secret if it exists and Create is true. This is\nuseful when migrating to VSO from a previous secret deployment strategy.", "type": "boolean" }, "transformation": { "description": "Transformation provides configuration for transforming the secret data before\nit is stored in the Destination.", "properties": { "excludeRaw": { "description": "ExcludeRaw data from the destination Secret. Exclusion policy can be set\nglobally by including 'exclude-raw` in the '--global-transformation-options'\ncommand line flag. If set, the command line flag always takes precedence over\nthis configuration.", "type": "boolean" }, "excludes": { "description": "Excludes contains regex patterns used to filter top-level source secret data\nfields for exclusion from the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied before any inclusion patterns. To exclude all source secret data\nfields, you can configure the single pattern \".*\".", "items": { "type": "string" }, "type": "array" }, "includes": { "description": "Includes contains regex patterns used to filter top-level source secret data\nfields for inclusion in the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied last.", "items": { "type": "string" }, "type": "array" }, "templates": { "additionalProperties": { "description": "Template provides templating configuration.", "properties": { "name": { "description": "Name of the Template", "type": "string" }, "text": { "description": "Text contains the Go text template format. The template\nreferences attributes from the data structure of the source secret.\nRefer to https://pkg.go.dev/text/template for more information.", "type": "string" } }, "required": [ "text" ], "type": "object", "additionalProperties": false }, "description": "Templates maps a template name to its Template. Templates are always included\nin the rendered K8s Secret, and take precedence over templates defined in a\nSecretTransformation.", "type": "object" }, "transformationRefs": { "description": "TransformationRefs contain references to template configuration from\nSecretTransformation.", "items": { "description": "TransformationRef contains the configuration for accessing templates from an\nSecretTransformation resource. TransformationRefs can be shared across all\nsyncable secret custom resources.", "properties": { "ignoreExcludes": { "description": "IgnoreExcludes controls whether to use the SecretTransformation's Excludes\ndata key filters.", "type": "boolean" }, "ignoreIncludes": { "description": "IgnoreIncludes controls whether to use the SecretTransformation's Includes\ndata key filters.", "type": "boolean" }, "name": { "description": "Name of the SecretTransformation resource.", "type": "string" }, "namespace": { "description": "Namespace of the SecretTransformation resource.", "type": "string" }, "templateRefs": { "description": "TemplateRefs map to a Template found in this TransformationRef. If empty, then\nall templates from the SecretTransformation will be rendered to the K8s Secret.", "items": { "description": "TemplateRef points to templating text that is stored in a\nSecretTransformation custom resource.", "properties": { "keyOverride": { "description": "KeyOverride to the rendered template in the Destination secret. If Key is\nempty, then the Key from reference spec will be used. Set this to override the\nKey set from the reference spec.", "type": "string" }, "name": { "description": "Name of the Template in SecretTransformationSpec.Templates.\nthe rendered secret data.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": { "description": "Type of Kubernetes Secret. Requires Create to be set to true.\nDefaults to Opaque.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "hcpAuthRef": { "description": "HCPAuthRef to the HCPAuth resource, can be prefixed with a namespace, eg:\n`namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default\nto the namespace of the HCPAuth CR. If no value is specified for HCPAuthRef the\nOperator will default to the `default` HCPAuth, configured in the operator's\nnamespace.", "type": "string" }, "refreshAfter": { "default": "600s", "description": "RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h", "pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h))$", "type": "string" }, "rolloutRestartTargets": { "description": "RolloutRestartTargets should be configured whenever the application(s)\nconsuming the HCP Vault Secrets App does not support dynamically reloading a\nrotated secret. In that case one, or more RolloutRestartTarget(s) can be\nconfigured here. The Operator will trigger a \"rollout-restart\" for each target\nwhenever the Vault secret changes between reconciliation events. See\nRolloutRestartTarget for more details.", "items": { "description": "RolloutRestartTarget provides the configuration required to perform a\nrollout-restart of the supported resources upon Vault Secret rotation.\nThe rollout-restart is triggered by patching the target resource's\n'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt'\nwith a timestamp value of when the trigger was executed.\nE.g. vso.secrets.hashicorp.com/restartedAt: \"2023-03-23T13:39:31Z\"\n\nSupported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout", "properties": { "kind": { "description": "Kind of the resource", "enum": [ "Deployment", "DaemonSet", "StatefulSet", "argo.Rollout" ], "type": "string" }, "name": { "description": "Name of the resource", "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "syncConfig": { "description": "SyncConfig configures sync behavior from HVS to VSO", "properties": { "dynamic": { "description": "Dynamic configures sync behavior for dynamic secrets.", "properties": { "renewalPercent": { "default": 67, "description": "RenewalPercent is the percent out of 100 of a dynamic secret's TTL when\nnew secrets are generated. Defaults to 67 percent plus up to 10% jitter.", "maximum": 90, "minimum": 0, "type": "integer" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "appName", "destination" ], "type": "object", "additionalProperties": false }, "status": { "description": "HCPVaultSecretsAppStatus defines the observed state of HCPVaultSecretsApp", "properties": { "dynamicSecrets": { "description": "DynamicSecrets lists the last observed state of any dynamic secrets\nwithin the HCP Vault Secrets App", "items": { "description": "HVSDynamicStatus defines the observed state of a dynamic secret within an HCP\nVault Secrets App", "properties": { "createdAt": { "description": "CreatedAt is the timestamp string of when the dynamic secret was created", "type": "string" }, "expiresAt": { "description": "ExpiresAt is the timestamp string of when the dynamic secret will expire", "type": "string" }, "name": { "description": "Name of the dynamic secret", "type": "string" }, "ttl": { "description": "TTL is the time-to-live of the dynamic secret in seconds", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "lastGeneration": { "description": "LastGeneration is the Generation of the last reconciled resource.", "format": "int64", "type": "integer" }, "secretMAC": { "description": "SecretMAC used when deciding whether new Vault secret data should be synced.\n\nThe controller will compare the \"new\" HCP Vault Secrets App data to this value\nusing HMAC, if they are different, then the data will be synced to the\nDestination.\n\nThe SecretMac is also used to detect drift in the Destination Secret's Data.\nIf drift is detected the data will be synced to the Destination.", "type": "string" } }, "required": [ "lastGeneration" ], "type": "object", "additionalProperties": false } }, "type": "object" }