{ "description": "VaultPKISecret is the Schema for the vaultpkisecrets API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "VaultPKISecretSpec defines the desired state of VaultPKISecret", "properties": { "altNames": { "description": "AltNames to include in the request\nMay contain both DNS names and email addresses.", "items": { "type": "string" }, "type": "array" }, "clear": { "description": "Clear the Kubernetes secret when the resource is deleted.", "type": "boolean" }, "commonName": { "description": "CommonName to include in the request.", "type": "string" }, "destination": { "description": "Destination provides configuration necessary for syncing the Vault secret\nto Kubernetes. If the type is set to \"kubernetes.io/tls\", \"tls.key\" will\nbe set to the \"private_key\" response from Vault, and \"tls.crt\" will be\nset to \"certificate\" + \"ca_chain\" from the Vault response (\"issuing_ca\"\nis used when \"ca_chain\" is empty). The \"remove_roots_from_chain=true\"\noption is used with Vault to exclude the root CA from the Vault response.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations to apply to the Secret. Requires Create to be set to true.", "type": "object" }, "create": { "default": false, "description": "Create the destination Secret.\nIf the Secret already exists this should be set to false.", "type": "boolean" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels to apply to the Secret. Requires Create to be set to true.", "type": "object" }, "name": { "description": "Name of the Secret", "type": "string" }, "overwrite": { "default": false, "description": "Overwrite the destination Secret if it exists and Create is true. This is\nuseful when migrating to VSO from a previous secret deployment strategy.", "type": "boolean" }, "transformation": { "description": "Transformation provides configuration for transforming the secret data before\nit is stored in the Destination.", "properties": { "excludeRaw": { "description": "ExcludeRaw data from the destination Secret. Exclusion policy can be set\nglobally by including 'exclude-raw` in the '--global-transformation-options'\ncommand line flag. If set, the command line flag always takes precedence over\nthis configuration.", "type": "boolean" }, "excludes": { "description": "Excludes contains regex patterns used to filter top-level source secret data\nfields for exclusion from the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied before any inclusion patterns. To exclude all source secret data\nfields, you can configure the single pattern \".*\".", "items": { "type": "string" }, "type": "array" }, "includes": { "description": "Includes contains regex patterns used to filter top-level source secret data\nfields for inclusion in the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied last.", "items": { "type": "string" }, "type": "array" }, "templates": { "additionalProperties": { "description": "Template provides templating configuration.", "properties": { "name": { "description": "Name of the Template", "type": "string" }, "text": { "description": "Text contains the Go text template format. The template\nreferences attributes from the data structure of the source secret.\nRefer to https://pkg.go.dev/text/template for more information.", "type": "string" } }, "required": [ "text" ], "type": "object", "additionalProperties": false }, "description": "Templates maps a template name to its Template. Templates are always included\nin the rendered K8s Secret, and take precedence over templates defined in a\nSecretTransformation.", "type": "object" }, "transformationRefs": { "description": "TransformationRefs contain references to template configuration from\nSecretTransformation.", "items": { "description": "TransformationRef contains the configuration for accessing templates from an\nSecretTransformation resource. TransformationRefs can be shared across all\nsyncable secret custom resources.", "properties": { "ignoreExcludes": { "description": "IgnoreExcludes controls whether to use the SecretTransformation's Excludes\ndata key filters.", "type": "boolean" }, "ignoreIncludes": { "description": "IgnoreIncludes controls whether to use the SecretTransformation's Includes\ndata key filters.", "type": "boolean" }, "name": { "description": "Name of the SecretTransformation resource.", "type": "string" }, "namespace": { "description": "Namespace of the SecretTransformation resource.", "type": "string" }, "templateRefs": { "description": "TemplateRefs map to a Template found in this TransformationRef. If empty, then\nall templates from the SecretTransformation will be rendered to the K8s Secret.", "items": { "description": "TemplateRef points to templating text that is stored in a\nSecretTransformation custom resource.", "properties": { "keyOverride": { "description": "KeyOverride to the rendered template in the Destination secret. If Key is\nempty, then the Key from reference spec will be used. Set this to override the\nKey set from the reference spec.", "type": "string" }, "name": { "description": "Name of the Template in SecretTransformationSpec.Templates.\nthe rendered secret data.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": { "description": "Type of Kubernetes Secret. Requires Create to be set to true.\nDefaults to Opaque.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "excludeCNFromSans": { "description": "ExcludeCNFromSans from DNS or Email Subject Alternate Names.\nDefault: false", "type": "boolean" }, "expiryOffset": { "description": "ExpiryOffset to use for computing when the certificate should be renewed.\nThe rotation time will be difference between the expiration and the offset.\nShould be in duration notation e.g. 30s, 120s, etc.", "pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h))$", "type": "string" }, "format": { "description": "Format for the certificate. Choices: \"pem\", \"der\", \"pem_bundle\".\nIf \"pem_bundle\",\nany private key and issuing cert will be appended to the certificate pem.\nIf \"der\", the value will be base64 encoded.\nDefault: pem", "type": "string" }, "ipSans": { "description": "IPSans to include in the request.", "items": { "type": "string" }, "type": "array" }, "issuerRef": { "description": "IssuerRef reference to an existing PKI issuer, either by Vault-generated\nidentifier, the literal string default to refer to the currently\nconfigured default issuer, or the name assigned to an issuer.\nThis parameter is part of the request URL.", "type": "string" }, "mount": { "description": "Mount for the secret in Vault", "type": "string" }, "namespace": { "description": "Namespace of the secrets engine mount in Vault. If not set, the namespace that's\npart of VaultAuth resource will be inferred.", "type": "string" }, "notAfter": { "description": "NotAfter field of the certificate with specified date value.\nThe value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ", "type": "string" }, "otherSans": { "description": "Requested other SANs, in an array with the format\noid;type:value for each entry.", "items": { "type": "string" }, "type": "array" }, "privateKeyFormat": { "description": "PrivateKeyFormat, generally the default will be controlled by the Format\nparameter as either base64-encoded DER or PEM-encoded DER.\nHowever, this can be set to \"pkcs8\" to have the returned\nprivate key contain base64-encoded pkcs8 or PEM-encoded\npkcs8 instead.\nDefault: der", "type": "string" }, "revoke": { "description": "Revoke the certificate when the resource is deleted.", "type": "boolean" }, "role": { "description": "Role in Vault to use when issuing TLS certificates.", "type": "string" }, "rolloutRestartTargets": { "description": "RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does\nnot support dynamically reloading a rotated secret.\nIn that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will\ntrigger a \"rollout-restart\" for each target whenever the Vault secret changes between reconciliation events.\nSee RolloutRestartTarget for more details.", "items": { "description": "RolloutRestartTarget provides the configuration required to perform a\nrollout-restart of the supported resources upon Vault Secret rotation.\nThe rollout-restart is triggered by patching the target resource's\n'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt'\nwith a timestamp value of when the trigger was executed.\nE.g. vso.secrets.hashicorp.com/restartedAt: \"2023-03-23T13:39:31Z\"\n\nSupported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout", "properties": { "kind": { "description": "Kind of the resource", "enum": [ "Deployment", "DaemonSet", "StatefulSet", "argo.Rollout" ], "type": "string" }, "name": { "description": "Name of the resource", "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "ttl": { "description": "TTL for the certificate; sets the expiration date.\nIf not specified the Vault role's default,\nbackend default, or system default TTL is used, in that order.\nCannot be larger than the mount's max TTL.\nNote: this only has an effect when generating a CA cert or signing a CA cert,\nnot when generating a CSR for an intermediate CA.\nShould be in duration notation e.g. 120s, 2h, etc.", "pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h|d))$", "type": "string" }, "uriSans": { "description": "The requested URI SANs.", "items": { "type": "string" }, "type": "array" }, "userIDs": { "description": "User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the\nsigned certificate.", "items": { "type": "string" }, "type": "array" }, "vaultAuthRef": { "description": "VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace,\neg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to\nthe namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator\nwill default to the `default` VaultAuth, configured in the operator's namespace.", "type": "string" } }, "required": [ "destination", "mount", "role" ], "type": "object", "additionalProperties": false }, "status": { "description": "VaultPKISecretStatus defines the observed state of VaultPKISecret", "properties": { "error": { "type": "string" }, "expiration": { "format": "int64", "type": "integer" }, "lastGeneration": { "description": "LastGeneration is the Generation of the last reconciled resource.", "format": "int64", "type": "integer" }, "lastRotation": { "description": "LastLastRotation of the certificate.", "format": "int64", "type": "integer" }, "secretMAC": { "description": "SecretMAC used when deciding whether new Vault secret data should be synced.\n\nThe controller will compare the \"new\" Vault secret data to this value using HMAC,\nif they are different, then the data will be synced to the Destination.\n\nThe SecretMac is also used to detect drift in the Destination Secret's Data.\nIf drift is detected the data will be synced to the Destination.", "type": "string" }, "serialNumber": { "type": "string" }, "valid": { "type": "boolean" } }, "required": [ "error", "lastGeneration", "lastRotation", "valid" ], "type": "object", "additionalProperties": false } }, "type": "object" }