{ "description": "VaultDynamicSecret is the Schema for the vaultdynamicsecrets API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "VaultDynamicSecretSpec defines the desired state of VaultDynamicSecret", "properties": { "allowStaticCreds": { "description": "AllowStaticCreds should be set when syncing credentials that are periodically\nrotated by the Vault server, rather than created upon request. These secrets\nare sometimes referred to as \"static roles\", or \"static credentials\", with a\nrequest path that contains \"static-creds\".", "type": "boolean" }, "destination": { "description": "Destination provides configuration necessary for syncing the Vault secret to Kubernetes.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations to apply to the Secret. Requires Create to be set to true.", "type": "object" }, "create": { "default": false, "description": "Create the destination Secret.\nIf the Secret already exists this should be set to false.", "type": "boolean" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels to apply to the Secret. Requires Create to be set to true.", "type": "object" }, "name": { "description": "Name of the Secret", "type": "string" }, "overwrite": { "default": false, "description": "Overwrite the destination Secret if it exists and Create is true. This is\nuseful when migrating to VSO from a previous secret deployment strategy.", "type": "boolean" }, "transformation": { "description": "Transformation provides configuration for transforming the secret data before\nit is stored in the Destination.", "properties": { "excludeRaw": { "description": "ExcludeRaw data from the destination Secret. Exclusion policy can be set\nglobally by including 'exclude-raw` in the '--global-transformation-options'\ncommand line flag. If set, the command line flag always takes precedence over\nthis configuration.", "type": "boolean" }, "excludes": { "description": "Excludes contains regex patterns used to filter top-level source secret data\nfields for exclusion from the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied before any inclusion patterns. To exclude all source secret data\nfields, you can configure the single pattern \".*\".", "items": { "type": "string" }, "type": "array" }, "includes": { "description": "Includes contains regex patterns used to filter top-level source secret data\nfields for inclusion in the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied last.", "items": { "type": "string" }, "type": "array" }, "templates": { "additionalProperties": { "description": "Template provides templating configuration.", "properties": { "name": { "description": "Name of the Template", "type": "string" }, "text": { "description": "Text contains the Go text template format. The template\nreferences attributes from the data structure of the source secret.\nRefer to https://pkg.go.dev/text/template for more information.", "type": "string" } }, "required": [ "text" ], "type": "object", "additionalProperties": false }, "description": "Templates maps a template name to its Template. Templates are always included\nin the rendered K8s Secret, and take precedence over templates defined in a\nSecretTransformation.", "type": "object" }, "transformationRefs": { "description": "TransformationRefs contain references to template configuration from\nSecretTransformation.", "items": { "description": "TransformationRef contains the configuration for accessing templates from an\nSecretTransformation resource. TransformationRefs can be shared across all\nsyncable secret custom resources.", "properties": { "ignoreExcludes": { "description": "IgnoreExcludes controls whether to use the SecretTransformation's Excludes\ndata key filters.", "type": "boolean" }, "ignoreIncludes": { "description": "IgnoreIncludes controls whether to use the SecretTransformation's Includes\ndata key filters.", "type": "boolean" }, "name": { "description": "Name of the SecretTransformation resource.", "type": "string" }, "namespace": { "description": "Namespace of the SecretTransformation resource.", "type": "string" }, "templateRefs": { "description": "TemplateRefs map to a Template found in this TransformationRef. If empty, then\nall templates from the SecretTransformation will be rendered to the K8s Secret.", "items": { "description": "TemplateRef points to templating text that is stored in a\nSecretTransformation custom resource.", "properties": { "keyOverride": { "description": "KeyOverride to the rendered template in the Destination secret. If Key is\nempty, then the Key from reference spec will be used. Set this to override the\nKey set from the reference spec.", "type": "string" }, "name": { "description": "Name of the Template in SecretTransformationSpec.Templates.\nthe rendered secret data.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": { "description": "Type of Kubernetes Secret. Requires Create to be set to true.\nDefaults to Opaque.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "mount": { "description": "Mount path of the secret's engine in Vault.", "type": "string" }, "namespace": { "description": "Namespace of the secrets engine mount in Vault. If not set, the namespace that's\npart of VaultAuth resource will be inferred.", "type": "string" }, "params": { "additionalProperties": { "type": "string" }, "description": "Params that can be passed when requesting credentials/secrets.\nWhen Params is set the configured RequestHTTPMethod will be\nignored. See RequestHTTPMethod for more details.\nPlease consult https://developer.hashicorp.com/vault/docs/secrets if you are\nuncertain about what 'params' should/can be set to.", "type": "object" }, "path": { "description": "Path in Vault to get the credentials for, and is relative to Mount.\nPlease consult https://developer.hashicorp.com/vault/docs/secrets if you are\nuncertain about what 'path' should be set to.", "type": "string" }, "refreshAfter": { "description": "RefreshAfter a period of time for VSO to sync the source secret data, in\nduration notation e.g. 30s, 1m, 24h. This value only needs to be set when\nsyncing from a secret's engine that does not provide a lease TTL in its\nresponse. The value should be within the secret engine's configured ttl or\nmax_ttl. The source secret's lease duration takes precedence over this\nconfiguration when it is greater than 0.", "pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h))$", "type": "string" }, "renewalPercent": { "default": 67, "description": "RenewalPercent is the percent out of 100 of the lease duration when the\nlease is renewed. Defaults to 67 percent plus jitter.", "maximum": 90, "minimum": 0, "type": "integer" }, "requestHTTPMethod": { "description": "RequestHTTPMethod to use when syncing Secrets from Vault.\nSetting a value here is not typically required.\nIf left unset the Operator will make requests using the GET method.\nIn the case where Params are specified the Operator will use the PUT method.\nPlease consult https://developer.hashicorp.com/vault/docs/secrets if you are\nuncertain about what method to use.\nOf note, the Vault client treats PUT and POST as being equivalent.\nThe underlying Vault client implementation will always use the PUT method.", "enum": [ "GET", "POST", "PUT" ], "type": "string" }, "revoke": { "description": "Revoke the existing lease on VDS resource deletion.", "type": "boolean" }, "rolloutRestartTargets": { "description": "RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does\nnot support dynamically reloading a rotated secret.\nIn that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will\ntrigger a \"rollout-restart\" for each target whenever the Vault secret changes between reconciliation events.\nSee RolloutRestartTarget for more details.", "items": { "description": "RolloutRestartTarget provides the configuration required to perform a\nrollout-restart of the supported resources upon Vault Secret rotation.\nThe rollout-restart is triggered by patching the target resource's\n'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt'\nwith a timestamp value of when the trigger was executed.\nE.g. vso.secrets.hashicorp.com/restartedAt: \"2023-03-23T13:39:31Z\"\n\nSupported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout", "properties": { "kind": { "description": "Kind of the resource", "enum": [ "Deployment", "DaemonSet", "StatefulSet", "argo.Rollout" ], "type": "string" }, "name": { "description": "Name of the resource", "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "vaultAuthRef": { "description": "VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace,\neg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to\nthe namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator\nwill default to the `default` VaultAuth, configured in the operator's namespace.", "type": "string" } }, "required": [ "destination", "mount", "path" ], "type": "object", "additionalProperties": false }, "status": { "description": "VaultDynamicSecretStatus defines the observed state of VaultDynamicSecret", "properties": { "lastGeneration": { "description": "LastGeneration is the Generation of the last reconciled resource.", "format": "int64", "type": "integer" }, "lastRenewalTime": { "description": "LastRenewalTime of the last successful secret lease renewal.", "format": "int64", "type": "integer" }, "lastRuntimePodUID": { "description": "LastRuntimePodUID used for tracking the transition from one Pod to the next.\nIt is used to mitigate the effects of a Vault lease renewal storm.", "type": "string" }, "secretLease": { "description": "SecretLease for the Vault secret.", "properties": { "duration": { "description": "LeaseDuration of the Vault secret.", "type": "integer" }, "id": { "description": "ID of the Vault secret.", "type": "string" }, "renewable": { "description": "Renewable Vault secret lease", "type": "boolean" }, "requestID": { "description": "RequestID of the Vault secret request.", "type": "string" } }, "required": [ "duration", "id", "renewable", "requestID" ], "type": "object", "additionalProperties": false }, "secretMAC": { "description": "SecretMAC used when deciding whether new Vault secret data should be synced.\n\nThe controller will compare the \"new\" Vault secret data to this value using HMAC,\nif they are different, then the data will be synced to the Destination.\n\nThe SecretMac is also used to detect drift in the Destination Secret's Data.\nIf drift is detected the data will be synced to the Destination.\nSecretMAC will only be stored when VaultDynamicSecretSpec.AllowStaticCreds is true.", "type": "string" }, "staticCredsMetaData": { "description": "StaticCredsMetaData contains the static creds response meta-data", "properties": { "lastVaultRotation": { "description": "LastVaultRotation represents the last time Vault rotated the password", "format": "int64", "type": "integer" }, "rotationPeriod": { "description": "RotationPeriod is number in seconds between each rotation, effectively a\n\"time to live\". This value is compared to the LastVaultRotation to\ndetermine if a password needs to be rotated", "format": "int64", "type": "integer" }, "rotationSchedule": { "description": "RotationSchedule is a \"cron style\" string representing the allowed\nschedule for each rotation.\ne.g. \"1 0 * * *\" would rotate at one minute past midnight (00:01) every\nday.", "type": "string" }, "ttl": { "description": "TTL is the seconds remaining before the next rotation.", "format": "int64", "type": "integer" } }, "required": [ "lastVaultRotation", "rotationPeriod", "ttl" ], "type": "object", "additionalProperties": false }, "vaultClientMeta": { "description": "VaultClientMeta contains the status of the Vault client and is used during\nresource reconciliation.", "properties": { "cacheKey": { "description": "CacheKey is the unique key used to identify the client cache.", "type": "string" }, "id": { "description": "ID is the Vault ID of the authenticated client. The ID should never contain\nany sensitive information.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "lastGeneration", "lastRenewalTime", "secretLease" ], "type": "object", "additionalProperties": false } }, "type": "object" }