{ "description": "VaultAuth is the Schema for the vaultauths API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "VaultAuthSpec defines the desired state of VaultAuth", "properties": { "allowedNamespaces": { "description": "AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod.\nThis field allows administrators to customize which Kubernetes namespaces are authorized to\nuse with this AuthMethod. While Vault will still enforce its own rules, this has the added\nconfigurability of restricting which VaultAuthMethods can be used by which namespaces.\nAccepted values:\n[]{\"*\"} - wildcard, all namespaces.\n[]{\"a\", \"b\"} - list of namespaces.\nunset - disallow all namespaces except the Operator's the VaultAuthMethod's namespace, this\nis the default behavior.", "items": { "type": "string" }, "type": "array" }, "appRole": { "description": "AppRole specific auth configuration, requires that the Method be set to `appRole`.", "properties": { "roleId": { "description": "RoleID of the AppRole Role to use for authenticating to Vault.", "type": "string" }, "secretRef": { "description": "SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which\nprovides the AppRole Role's SecretID. The secret must have a key named `id` which holds the\nAppRole Role's secretID.", "type": "string" } }, "type": "object", "additionalProperties": false }, "aws": { "description": "AWS specific auth configuration, requires that Method be set to `aws`.", "properties": { "headerValue": { "description": "The Vault header value to include in the STS signing request", "type": "string" }, "iamEndpoint": { "description": "The IAM endpoint to use; if not set will use the default", "type": "string" }, "irsaServiceAccount": { "description": "IRSAServiceAccount name to use with IAM Roles for Service Accounts\n(IRSA), and should be annotated with \"eks.amazonaws.com/role-arn\". This\nServiceAccount will be checked for other EKS annotations:\neks.amazonaws.com/audience and eks.amazonaws.com/token-expiration", "type": "string" }, "region": { "description": "AWS Region to use for signing the authentication request", "type": "string" }, "role": { "description": "Vault role to use for authenticating", "type": "string" }, "secretRef": { "description": "SecretRef is the name of a Kubernetes Secret in the consumer's (VDS/VSS/PKI) namespace\nwhich holds credentials for AWS. Expected keys include `access_key_id`, `secret_access_key`,\n`session_token`", "type": "string" }, "sessionName": { "description": "The role session name to use when creating a webidentity provider", "type": "string" }, "stsEndpoint": { "description": "The STS endpoint to use; if not set will use the default", "type": "string" } }, "type": "object", "additionalProperties": false }, "gcp": { "description": "GCP specific auth configuration, requires that Method be set to `gcp`.", "properties": { "clusterName": { "description": "GKE cluster name. Defaults to the cluster-name returned from the operator\npod's local metadata server.", "type": "string" }, "projectID": { "description": "GCP project ID. Defaults to the project-id returned from the operator\npod's local metadata server.", "type": "string" }, "region": { "description": "GCP Region of the GKE cluster's identity provider. Defaults to the region\nreturned from the operator pod's local metadata server.", "type": "string" }, "role": { "description": "Vault role to use for authenticating", "type": "string" }, "workloadIdentityServiceAccount": { "description": "WorkloadIdentityServiceAccount is the name of a Kubernetes service\naccount (in the same Kubernetes namespace as the Vault*Secret referencing\nthis resource) which has been configured for workload identity in GKE.\nShould be annotated with \"iam.gke.io/gcp-service-account\".", "type": "string" } }, "type": "object", "additionalProperties": false }, "headers": { "additionalProperties": { "type": "string" }, "description": "Headers to be included in all Vault requests.", "type": "object" }, "jwt": { "description": "JWT specific auth configuration, requires that the Method be set to `jwt`.", "properties": { "audiences": { "description": "TokenAudiences to include in the ServiceAccount token.", "items": { "type": "string" }, "type": "array" }, "role": { "description": "Role to use for authenticating to Vault.", "type": "string" }, "secretRef": { "description": "SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which\nprovides the JWT token to authenticate to Vault's JWT authentication backend. The secret must\nhave a key named `jwt` which holds the JWT token.", "type": "string" }, "serviceAccount": { "description": "ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's\nJWT authentication backend.", "type": "string" }, "tokenExpirationSeconds": { "default": 600, "description": "TokenExpirationSeconds to set the ServiceAccount token.", "format": "int64", "minimum": 600, "type": "integer" } }, "type": "object", "additionalProperties": false }, "kubernetes": { "description": "Kubernetes specific auth configuration, requires that the Method be set to `kubernetes`.", "properties": { "audiences": { "description": "TokenAudiences to include in the ServiceAccount token.", "items": { "type": "string" }, "type": "array" }, "role": { "description": "Role to use for authenticating to Vault.", "type": "string" }, "serviceAccount": { "description": "ServiceAccount to use when authenticating to Vault's\nauthentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace.", "type": "string" }, "tokenExpirationSeconds": { "default": 600, "description": "TokenExpirationSeconds to set the ServiceAccount token.", "format": "int64", "minimum": 600, "type": "integer" } }, "type": "object", "additionalProperties": false }, "method": { "description": "Method to use when authenticating to Vault.", "enum": [ "kubernetes", "jwt", "appRole", "aws", "gcp" ], "type": "string" }, "mount": { "description": "Mount to use when authenticating to auth method.", "type": "string" }, "namespace": { "description": "Namespace to auth to in Vault", "type": "string" }, "params": { "additionalProperties": { "type": "string" }, "description": "Params to use when authenticating to Vault", "type": "object" }, "storageEncryption": { "description": "StorageEncryption provides the necessary configuration to encrypt the client storage cache.\nThis should only be configured when client cache persistence with encryption is enabled.\nThis is done by passing setting the manager's commandline argument\n--client-cache-persistence-model=direct-encrypted. Typically, there should only ever\nbe one VaultAuth configured with StorageEncryption in the Cluster, and it should have\nthe label: cacheStorageEncryption=true", "properties": { "keyName": { "description": "KeyName to use for encrypt/decrypt operations via Vault Transit.", "type": "string" }, "mount": { "description": "Mount path of the Transit engine in Vault.", "type": "string" } }, "required": [ "keyName", "mount" ], "type": "object", "additionalProperties": false }, "vaultAuthGlobalRef": { "description": "VaultAuthGlobalRef.", "properties": { "allowDefault": { "description": "AllowDefault when set to true will use the default VaultAuthGlobal resource\nas the default if Name is not set. The 'allow-default-globals' option must be\nset on the operator's '-global-vault-auth-options' flag\n\nThe default VaultAuthGlobal search is conditional.\nWhen a ref Namespace is set, the search for the default\nVaultAuthGlobal resource is constrained to that namespace.\nOtherwise, the search order is:\n1. The default VaultAuthGlobal resource in the referring VaultAuth resource's\nnamespace.\n2. The default VaultAuthGlobal resource in the Operator's namespace.", "type": "boolean" }, "mergeStrategy": { "description": "MergeStrategy configures the merge strategy for HTTP headers and parameters\nthat are included in all Vault authentication requests.", "properties": { "headers": { "description": "Headers configures the merge strategy for HTTP headers that are included in\nall Vault requests. Choices are `union`, `replace`, or `none`.\n\nIf `union` is set, the headers from the VaultAuthGlobal and VaultAuth\nresources are merged. The headers from the VaultAuth always take precedence.\n\nIf `replace` is set, the first set of non-empty headers taken in order from:\nVaultAuth, VaultAuthGlobal auth method, VaultGlobal default headers.\n\nIf `none` is set, the headers from the\nVaultAuthGlobal resource are ignored and only the headers from the VaultAuth\nresource are used. The default is `none`.", "enum": [ "union", "replace", "none" ], "type": "string" }, "params": { "description": "Params configures the merge strategy for HTTP parameters that are included in\nall Vault requests. Choices are `union`, `replace`, or `none`.\n\nIf `union` is set, the parameters from the VaultAuthGlobal and VaultAuth\nresources are merged. The parameters from the VaultAuth always take\nprecedence.\n\nIf `replace` is set, the first set of non-empty parameters taken in order from:\nVaultAuth, VaultAuthGlobal auth method, VaultGlobal default parameters.\n\nIf `none` is set, the parameters from the VaultAuthGlobal resource are ignored\nand only the parameters from the VaultAuth resource are used. The default is\n`none`.", "enum": [ "union", "replace", "none" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "name": { "description": "Name of the VaultAuthGlobal resource.", "pattern": "^([a-z0-9.-]{1,253})$", "type": "string" }, "namespace": { "description": "Namespace of the VaultAuthGlobal resource. If not provided, the namespace of\nthe referring VaultAuth resource is used.", "pattern": "^([a-z0-9.-]{1,253})$", "type": "string" } }, "type": "object", "additionalProperties": false }, "vaultConnectionRef": { "description": "VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace,\neg: `namespaceA/vaultConnectionRefB`. If no namespace prefix is provided it will default to\nthe namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the\nOperator will default to the `default` VaultConnection, configured in the operator's namespace.", "type": "string" } }, "type": "object", "additionalProperties": false }, "status": { "description": "VaultAuthStatus defines the observed state of VaultAuth", "properties": { "conditions": { "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "error": { "type": "string" }, "specHash": { "type": "string" }, "valid": { "description": "Valid auth mechanism.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object" }