{ "description": "VaultStaticSecret is the Schema for the vaultstaticsecrets API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "VaultStaticSecretSpec defines the desired state of VaultStaticSecret", "properties": { "destination": { "description": "Destination provides configuration necessary for syncing the Vault secret to Kubernetes.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations to apply to the Secret. Requires Create to be set to true.", "type": "object" }, "create": { "default": false, "description": "Create the destination Secret.\nIf the Secret already exists this should be set to false.", "type": "boolean" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels to apply to the Secret. Requires Create to be set to true.", "type": "object" }, "name": { "description": "Name of the Secret", "type": "string" }, "overwrite": { "default": false, "description": "Overwrite the destination Secret if it exists and Create is true. This is\nuseful when migrating to VSO from a previous secret deployment strategy.", "type": "boolean" }, "transformation": { "description": "Transformation provides configuration for transforming the secret data before\nit is stored in the Destination.", "properties": { "excludeRaw": { "description": "ExcludeRaw data from the destination Secret. Exclusion policy can be set\nglobally by including 'exclude-raw` in the '--global-transformation-options'\ncommand line flag. If set, the command line flag always takes precedence over\nthis configuration.", "type": "boolean" }, "excludes": { "description": "Excludes contains regex patterns used to filter top-level source secret data\nfields for exclusion from the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied before any inclusion patterns. To exclude all source secret data\nfields, you can configure the single pattern \".*\".", "items": { "type": "string" }, "type": "array" }, "includes": { "description": "Includes contains regex patterns used to filter top-level source secret data\nfields for inclusion in the final K8s Secret data. These pattern filters are\nnever applied to templated fields as defined in Templates. They are always\napplied last.", "items": { "type": "string" }, "type": "array" }, "templates": { "additionalProperties": { "description": "Template provides templating configuration.", "properties": { "name": { "description": "Name of the Template", "type": "string" }, "text": { "description": "Text contains the Go text template format. The template\nreferences attributes from the data structure of the source secret.\nRefer to https://pkg.go.dev/text/template for more information.", "type": "string" } }, "required": [ "text" ], "type": "object", "additionalProperties": false }, "description": "Templates maps a template name to its Template. Templates are always included\nin the rendered K8s Secret, and take precedence over templates defined in a\nSecretTransformation.", "type": "object" }, "transformationRefs": { "description": "TransformationRefs contain references to template configuration from\nSecretTransformation.", "items": { "description": "TransformationRef contains the configuration for accessing templates from an\nSecretTransformation resource. TransformationRefs can be shared across all\nsyncable secret custom resources.", "properties": { "ignoreExcludes": { "description": "IgnoreExcludes controls whether to use the SecretTransformation's Excludes\ndata key filters.", "type": "boolean" }, "ignoreIncludes": { "description": "IgnoreIncludes controls whether to use the SecretTransformation's Includes\ndata key filters.", "type": "boolean" }, "name": { "description": "Name of the SecretTransformation resource.", "type": "string" }, "namespace": { "description": "Namespace of the SecretTransformation resource.", "type": "string" }, "templateRefs": { "description": "TemplateRefs map to a Template found in this TransformationRef. If empty, then\nall templates from the SecretTransformation will be rendered to the K8s Secret.", "items": { "description": "TemplateRef points to templating text that is stored in a\nSecretTransformation custom resource.", "properties": { "keyOverride": { "description": "KeyOverride to the rendered template in the Destination secret. If Key is\nempty, then the Key from reference spec will be used. Set this to override the\nKey set from the reference spec.", "type": "string" }, "name": { "description": "Name of the Template in SecretTransformationSpec.Templates.\nthe rendered secret data.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": { "description": "Type of Kubernetes Secret. Requires Create to be set to true.\nDefaults to Opaque.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "hmacSecretData": { "default": true, "description": "HMACSecretData determines whether the Operator computes the\nHMAC of the Secret's data. The MAC value will be stored in\nthe resource's Status.SecretMac field, and will be used for drift detection\nand during incoming Vault secret comparison.\nEnabling this feature is recommended to ensure that Secret's data stays consistent with Vault.", "type": "boolean" }, "mount": { "description": "Mount for the secret in Vault", "type": "string" }, "namespace": { "description": "Namespace of the secrets engine mount in Vault. If not set, the namespace that's\npart of VaultAuth resource will be inferred.", "type": "string" }, "path": { "description": "Path of the secret in Vault, corresponds to the `path` parameter for,\nkv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret\nkv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version", "type": "string" }, "refreshAfter": { "description": "RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h", "pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h))$", "type": "string" }, "rolloutRestartTargets": { "description": "RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does\nnot support dynamically reloading a rotated secret.\nIn that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will\ntrigger a \"rollout-restart\" for each target whenever the Vault secret changes between reconciliation events.\nAll configured targets will be ignored if HMACSecretData is set to false.\nSee RolloutRestartTarget for more details.", "items": { "description": "RolloutRestartTarget provides the configuration required to perform a\nrollout-restart of the supported resources upon Vault Secret rotation.\nThe rollout-restart is triggered by patching the target resource's\n'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt'\nwith a timestamp value of when the trigger was executed.\nE.g. vso.secrets.hashicorp.com/restartedAt: \"2023-03-23T13:39:31Z\"\n\nSupported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout", "properties": { "kind": { "description": "Kind of the resource", "enum": [ "Deployment", "DaemonSet", "StatefulSet", "argo.Rollout" ], "type": "string" }, "name": { "description": "Name of the resource", "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "syncConfig": { "description": "SyncConfig configures sync behavior from Vault to VSO", "properties": { "instantUpdates": { "description": "InstantUpdates is a flag to indicate that event-driven updates are\nenabled for this VaultStaticSecret", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": { "description": "Type of the Vault static secret", "enum": [ "kv-v1", "kv-v2" ], "type": "string" }, "vaultAuthRef": { "description": "VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace,\neg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to the\nnamespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will\ndefault to the `default` VaultAuth, configured in the operator's namespace.", "type": "string" }, "version": { "description": "Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter:\nhttps://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version", "minimum": 0, "type": "integer" } }, "required": [ "destination", "mount", "path", "type" ], "type": "object", "additionalProperties": false }, "status": { "description": "VaultStaticSecretStatus defines the observed state of VaultStaticSecret", "properties": { "lastGeneration": { "description": "LastGeneration is the Generation of the last reconciled resource.", "format": "int64", "type": "integer" }, "secretMAC": { "description": "SecretMAC used when deciding whether new Vault secret data should be synced.\n\nThe controller will compare the \"new\" Vault secret data to this value using HMAC,\nif they are different, then the data will be synced to the Destination.\n\nThe SecretMac is also used to detect drift in the Destination Secret's Data.\nIf drift is detected the data will be synced to the Destination.", "type": "string" } }, "required": [ "lastGeneration" ], "type": "object", "additionalProperties": false } }, "type": "object" }