{ "description": "VaultAuthGlobal is the Schema for the vaultauthglobals API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "VaultAuthGlobalSpec defines the desired state of VaultAuthGlobal", "properties": { "allowedNamespaces": { "description": "AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with\nthis VaultAuthGlobal. This field allows administrators to customize which\nKubernetes namespaces are authorized to reference this resource. While Vault\nwill still enforce its own rules, this has the added configurability of\nrestricting which VaultAuthMethods can be used by which namespaces. Accepted\nvalues: []{\"*\"} - wildcard, all namespaces. []{\"a\", \"b\"} - list of namespaces.\nunset - disallow all namespaces except the Operator's and the referring\nVaultAuthMethod's namespace, this is the default behavior.", "items": { "type": "string" }, "type": "array" }, "appRole": { "description": "AppRole specific auth configuration, requires that the Method be set to `appRole`.", "properties": { "headers": { "additionalProperties": { "type": "string" }, "description": "Headers to be included in all Vault requests.", "type": "object" }, "mount": { "description": "Mount to use when authenticating to auth method.", "type": "string" }, "namespace": { "description": "Namespace to auth to in Vault", "type": "string" }, "params": { "additionalProperties": { "type": "string" }, "description": "Params to use when authenticating to Vault", "type": "object" }, "roleId": { "description": "RoleID of the AppRole Role to use for authenticating to Vault.", "type": "string" }, "secretRef": { "description": "SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which\nprovides the AppRole Role's SecretID. The secret must have a key named `id` which holds the\nAppRole Role's secretID.", "type": "string" } }, "type": "object", "additionalProperties": false }, "aws": { "description": "AWS specific auth configuration, requires that Method be set to `aws`.", "properties": { "headerValue": { "description": "The Vault header value to include in the STS signing request", "type": "string" }, "headers": { "additionalProperties": { "type": "string" }, "description": "Headers to be included in all Vault requests.", "type": "object" }, "iamEndpoint": { "description": "The IAM endpoint to use; if not set will use the default", "type": "string" }, "irsaServiceAccount": { "description": "IRSAServiceAccount name to use with IAM Roles for Service Accounts\n(IRSA), and should be annotated with \"eks.amazonaws.com/role-arn\". This\nServiceAccount will be checked for other EKS annotations:\neks.amazonaws.com/audience and eks.amazonaws.com/token-expiration", "type": "string" }, "mount": { "description": "Mount to use when authenticating to auth method.", "type": "string" }, "namespace": { "description": "Namespace to auth to in Vault", "type": "string" }, "params": { "additionalProperties": { "type": "string" }, "description": "Params to use when authenticating to Vault", "type": "object" }, "region": { "description": "AWS Region to use for signing the authentication request", "type": "string" }, "role": { "description": "Vault role to use for authenticating", "type": "string" }, "secretRef": { "description": "SecretRef is the name of a Kubernetes Secret in the consumer's (VDS/VSS/PKI) namespace\nwhich holds credentials for AWS. Expected keys include `access_key_id`, `secret_access_key`,\n`session_token`", "type": "string" }, "sessionName": { "description": "The role session name to use when creating a webidentity provider", "type": "string" }, "stsEndpoint": { "description": "The STS endpoint to use; if not set will use the default", "type": "string" } }, "type": "object", "additionalProperties": false }, "defaultAuthMethod": { "description": "DefaultAuthMethod to use when authenticating to Vault.", "enum": [ "kubernetes", "jwt", "appRole", "aws", "gcp" ], "type": "string" }, "defaultMount": { "description": "DefaultMount to use when authenticating to auth method. If not specified the mount of\nthe auth method configured in Vault will be used.", "type": "string" }, "defaultVaultNamespace": { "description": "DefaultVaultNamespace to auth to in Vault, if not specified the namespace of the auth\nmethod will be used. This can be used as a default Vault namespace for all\nauth methods.", "type": "string" }, "gcp": { "description": "GCP specific auth configuration, requires that Method be set to `gcp`.", "properties": { "clusterName": { "description": "GKE cluster name. Defaults to the cluster-name returned from the operator\npod's local metadata server.", "type": "string" }, "headers": { "additionalProperties": { "type": "string" }, "description": "Headers to be included in all Vault requests.", "type": "object" }, "mount": { "description": "Mount to use when authenticating to auth method.", "type": "string" }, "namespace": { "description": "Namespace to auth to in Vault", "type": "string" }, "params": { "additionalProperties": { "type": "string" }, "description": "Params to use when authenticating to Vault", "type": "object" }, "projectID": { "description": "GCP project ID. Defaults to the project-id returned from the operator\npod's local metadata server.", "type": "string" }, "region": { "description": "GCP Region of the GKE cluster's identity provider. Defaults to the region\nreturned from the operator pod's local metadata server.", "type": "string" }, "role": { "description": "Vault role to use for authenticating", "type": "string" }, "workloadIdentityServiceAccount": { "description": "WorkloadIdentityServiceAccount is the name of a Kubernetes service\naccount (in the same Kubernetes namespace as the Vault*Secret referencing\nthis resource) which has been configured for workload identity in GKE.\nShould be annotated with \"iam.gke.io/gcp-service-account\".", "type": "string" } }, "type": "object", "additionalProperties": false }, "headers": { "additionalProperties": { "type": "string" }, "description": "DefaultHeaders to be included in all Vault requests.", "type": "object" }, "jwt": { "description": "JWT specific auth configuration, requires that the Method be set to `jwt`.", "properties": { "audiences": { "description": "TokenAudiences to include in the ServiceAccount token.", "items": { "type": "string" }, "type": "array" }, "headers": { "additionalProperties": { "type": "string" }, "description": "Headers to be included in all Vault requests.", "type": "object" }, "mount": { "description": "Mount to use when authenticating to auth method.", "type": "string" }, "namespace": { "description": "Namespace to auth to in Vault", "type": "string" }, "params": { "additionalProperties": { "type": "string" }, "description": "Params to use when authenticating to Vault", "type": "object" }, "role": { "description": "Role to use for authenticating to Vault.", "type": "string" }, "secretRef": { "description": "SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which\nprovides the JWT token to authenticate to Vault's JWT authentication backend. The secret must\nhave a key named `jwt` which holds the JWT token.", "type": "string" }, "serviceAccount": { "description": "ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's\nJWT authentication backend.", "type": "string" }, "tokenExpirationSeconds": { "default": 600, "description": "TokenExpirationSeconds to set the ServiceAccount token.", "format": "int64", "minimum": 600, "type": "integer" } }, "type": "object", "additionalProperties": false }, "kubernetes": { "description": "Kubernetes specific auth configuration, requires that the Method be set to `kubernetes`.", "properties": { "audiences": { "description": "TokenAudiences to include in the ServiceAccount token.", "items": { "type": "string" }, "type": "array" }, "headers": { "additionalProperties": { "type": "string" }, "description": "Headers to be included in all Vault requests.", "type": "object" }, "mount": { "description": "Mount to use when authenticating to auth method.", "type": "string" }, "namespace": { "description": "Namespace to auth to in Vault", "type": "string" }, "params": { "additionalProperties": { "type": "string" }, "description": "Params to use when authenticating to Vault", "type": "object" }, "role": { "description": "Role to use for authenticating to Vault.", "type": "string" }, "serviceAccount": { "description": "ServiceAccount to use when authenticating to Vault's\nauthentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace.", "type": "string" }, "tokenExpirationSeconds": { "default": 600, "description": "TokenExpirationSeconds to set the ServiceAccount token.", "format": "int64", "minimum": 600, "type": "integer" } }, "type": "object", "additionalProperties": false }, "params": { "additionalProperties": { "type": "string" }, "description": "DefaultParams to use when authenticating to Vault", "type": "object" }, "vaultConnectionRef": { "description": "VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace,\neg: `namespaceA/vaultConnectionRefB`. If no namespace prefix is provided it will default to\nthe namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the\nOperator will default to the `default` VaultConnection, configured in the operator's namespace.", "type": "string" } }, "type": "object", "additionalProperties": false }, "status": { "description": "VaultAuthGlobalStatus defines the observed state of VaultAuthGlobal", "properties": { "error": { "type": "string" }, "valid": { "description": "Valid auth mechanism.", "type": "boolean" } }, "required": [ "error", "valid" ], "type": "object", "additionalProperties": false } }, "type": "object" }