Skip to content

Commit

Permalink
Update secrets.hashicorp.com (#263)
Browse files Browse the repository at this point in the history
  • Loading branch information
@fhemberger
fhemberger authored Jan 27, 2024
1 parent 89a756e commit 2e63c81
Show file tree
Hide file tree
Showing 7 changed files with 281 additions and 10 deletions.
83 changes: 83 additions & 0 deletions secrets.hashicorp.com/hcpauth_v1beta1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
{
"description": "HCPAuth is the Schema for the hcpauths API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "HCPAuthSpec defines the desired state of HCPAuth",
"properties": {
"allowedNamespaces": {
"description": "AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod. This field allows administrators to customize which Kubernetes namespaces are authorized to use with this AuthMethod. While Vault will still enforce its own rules, this has the added configurability of restricting which HCPAuthMethods can be used by which namespaces. Accepted values: []{\"*\"} - wildcard, all namespaces. []{\"a\", \"b\"} - list of namespaces. unset - disallow all namespaces except the Operator's the HCPAuthMethod's namespace, this is the default behavior.",
"items": {
"type": "string"
},
"type": "array"
},
"method": {
"default": "servicePrincipal",
"description": "Method to use when authenticating to Vault.",
"enum": [
"servicePrincipal"
],
"type": "string"
},
"organizationID": {
"description": "OrganizationID of the HCP organization.",
"type": "string"
},
"projectID": {
"description": "ProjectID of the HCP project.",
"type": "string"
},
"servicePrincipal": {
"description": "ServicePrincipal provides the necessary configuration for authenticating to HCP using a service principal. For security reasons, only project-level service principals should ever be used.",
"properties": {
"secretRef": {
"description": "SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI/HCP) namespace which provides the HCP ServicePrincipal clientID, and clientSecret. The secret data must have the following structure { \"clientID\": \"clientID\", \"clientSecret\": \"clientSecret\", }",
"type": "string"
}
},
"required": [
"secretRef"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"organizationID",
"projectID"
],
"type": "object",
"additionalProperties": false
},
"status": {
"description": "HCPAuthStatus defines the observed state of HCPAuth",
"properties": {
"error": {
"type": "string"
},
"valid": {
"description": "Valid auth mechanism.",
"type": "boolean"
}
},
"required": [
"error",
"valid"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}
115 changes: 115 additions & 0 deletions secrets.hashicorp.com/hcpvaultsecretsapp_v1beta1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
{
"description": "HCPVaultSecretsApp is the Schema for the hcpvaultsecretsapps API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "HCPVaultSecretsAppSpec defines the desired state of HCPVaultSecretsApp",
"properties": {
"appName": {
"description": "AppName of the Vault Secrets Application that is to be synced.",
"type": "string"
},
"destination": {
"description": "Destination provides configuration necessary for syncing the HCP Vault Application secrets to Kubernetes.",
"properties": {
"annotations": {
"additionalProperties": {
"type": "string"
},
"description": "Annotations to apply to the Secret. Requires Create to be set to true.",
"type": "object"
},
"create": {
"description": "Create the destination Secret. If the Secret already exists this should be set to false.",
"type": "boolean"
},
"labels": {
"additionalProperties": {
"type": "string"
},
"description": "Labels to apply to the Secret. Requires Create to be set to true.",
"type": "object"
},
"name": {
"description": "Name of the Secret",
"type": "string"
},
"type": {
"description": "Type of Kubernetes Secret. Requires Create to be set to true. Defaults to Opaque.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"hcpAuthRef": {
"description": "HCPAuthRef to the HCPAuth resource, can be prefixed with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to the namespace of the HCPAuth CR. If no value is specified for HCPAuthRef the Operator will default to the `default` HCPAuth, configured in its own Kubernetes namespace. HCPAuthRef string `json:\"hcpAuthRef,omitempty\"`",
"type": "string"
},
"refreshAfter": {
"default": "600s",
"description": "RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h",
"pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h))$",
"type": "string"
},
"rolloutRestartTargets": {
"description": "RolloutRestartTargets should be configured whenever the application(s) consuming the HCP Vault Secrets App does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a \"rollout-restart\" for each target whenever the Vault secret changes between reconciliation events. See RolloutRestartTarget for more details.",
"items": {
"description": "RolloutRestartTarget provides the configuration required to perform a rollout-restart of the supported resources upon Vault Secret rotation. The rollout-restart is triggered by patching the target resource's 'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt: \"2023-03-23T13:39:31Z\" \n Supported resources: Deployment, DaemonSet, StatefulSet",
"properties": {
"kind": {
"enum": [
"Deployment",
"DaemonSet",
"StatefulSet"
],
"type": "string"
},
"name": {
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"appName",
"destination"
],
"type": "object",
"additionalProperties": false
},
"status": {
"description": "HCPVaultSecretsAppStatus defines the observed state of HCPVaultSecretsApp",
"properties": {
"secretMAC": {
"description": "SecretMAC used when deciding whether new Vault secret data should be synced. \n The controller will compare the \"new\" HCP Vault Secrets App data to this value using HMAC, if they are different, then the data will be synced to the Destination. \n The SecretMac is also used to detect drift in the Destination Secret's Data. If drift is detected the data will be synced to the Destination.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}
45 changes: 42 additions & 3 deletions secrets.hashicorp.com/vaultauth_v1beta1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@
"spec": {
"description": "VaultAuthSpec defines the desired state of VaultAuth",
"properties": {
"allowedNamespaces": {
"description": "AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod. This field allows administrators to customize which Kubernetes namespaces are authorized to use with this AuthMethod. While Vault will still enforce its own rules, this has the added configurability of restricting which VaultAuthMethods can be used by which namespaces. Accepted values: []{\"*\"} - wildcard, all namespaces. []{\"a\", \"b\"} - list of namespaces. unset - disallow all namespaces except the Operator's the VaultAuthMethod's namespace, this is the default behavior.",
"items": {
"type": "string"
},
"type": "array"
},
"appRole": {
"description": "AppRole specific auth configuration, requires that the Method be set to `appRole`.",
"properties": {
Expand Down Expand Up @@ -76,6 +83,37 @@
"type": "object",
"additionalProperties": false
},
"gcp": {
"description": "GCP specific auth configuration, requires that Method be set to `gcp`.",
"properties": {
"clusterName": {
"description": "GKE cluster name. Defaults to the cluster-name returned from the operator pod's local metadata server.",
"type": "string"
},
"projectID": {
"description": "GCP project ID. Defaults to the project-id returned from the operator pod's local metadata server.",
"type": "string"
},
"region": {
"description": "GCP Region of the GKE cluster's identity provider. Defaults to the region returned from the operator pod's local metadata server.",
"type": "string"
},
"role": {
"description": "Vault role to use for authenticating",
"type": "string"
},
"workloadIdentityServiceAccount": {
"description": "WorkloadIdentityServiceAccount is the name of a Kubernetes service account (in the same Kubernetes namespace as the Vault*Secret referencing this resource) which has been configured for workload identity in GKE. Should be annotated with \"iam.gke.io/gcp-service-account\".",
"type": "string"
}
},
"required": [
"role",
"workloadIdentityServiceAccount"
],
"type": "object",
"additionalProperties": false
},
"headers": {
"additionalProperties": {
"type": "string"
Expand Down Expand Up @@ -158,7 +196,8 @@
"kubernetes",
"jwt",
"appRole",
"aws"
"aws",
"gcp"
],
"type": "string"
},
Expand All @@ -178,7 +217,7 @@
"type": "object"
},
"storageEncryption": {
"description": "StorageEncryption provides the necessary configuration to encrypt the client storage cache. This should only be configured when client cache persistence with encryption is enabled. This is done by passing setting the manager's commandline argument --client-cache-persistence-model=direct-encrypted. Typically there should only ever be one VaultAuth configured with StorageEncryption in the Cluster, and it should have the label: cacheStorageEncryption=true",
"description": "StorageEncryption provides the necessary configuration to encrypt the client storage cache. This should only be configured when client cache persistence with encryption is enabled. This is done by passing setting the manager's commandline argument --client-cache-persistence-model=direct-encrypted. Typically, there should only ever be one VaultAuth configured with StorageEncryption in the Cluster, and it should have the label: cacheStorageEncryption=true",
"properties": {
"keyName": {
"description": "KeyName to use for encrypt/decrypt operations via Vault Transit.",
Expand All @@ -197,7 +236,7 @@
"additionalProperties": false
},
"vaultConnectionRef": {
"description": "VaultConnectionRef of the corresponding VaultConnection CustomResource. If no value is specified the Operator will default to the `default` VaultConnection, configured in its own Kubernetes namespace.",
"description": "VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace, eg: `namespaceA/vaultConnectionRefB`. If no namespace prefix is provided it will default to namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the Operator will default to\t`default` VaultConnection, configured in its own Kubernetes namespace.",
"type": "string"
}
},
Expand Down
4 changes: 3 additions & 1 deletion secrets.hashicorp.com/vaultconnection_v1beta1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
"type": "object"
},
"skipTLSVerify": {
"default": false,
"description": "SkipTLSVerify for TLS connections.",
"type": "boolean"
},
Expand All @@ -40,7 +41,8 @@
}
},
"required": [
"address"
"address",
"skipTLSVerify"
],
"type": "object",
"additionalProperties": false
Expand Down
7 changes: 6 additions & 1 deletion secrets.hashicorp.com/vaultdynamicsecret_v1beta1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@
"type": "array"
},
"vaultAuthRef": {
"description": "VaultAuthRef to the VaultAuth resource If no value is specified the Operator will default to the `default` VaultAuth, configured in its own Kubernetes namespace.",
"description": "VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the `default` VaultAuth, configured in its own Kubernetes namespace.",
"type": "string"
}
},
Expand Down Expand Up @@ -196,6 +196,10 @@
"format": "int64",
"type": "integer"
},
"rotationSchedule": {
"description": "RotationSchedule is a \"cron style\" string representing the allowed schedule for each rotation. e.g. \"1 0 * * *\" would rotate at one minute past midnight (00:01) every day.",
"type": "string"
},
"ttl": {
"description": "TTL is the seconds remaining before the next rotation.",
"format": "int64",
Expand All @@ -205,6 +209,7 @@
"required": [
"lastVaultRotation",
"rotationPeriod",
"rotationSchedule",
"ttl"
],
"type": "object",
Expand Down
24 changes: 21 additions & 3 deletions secrets.hashicorp.com/vaultpkisecret_v1beta1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
"type": "string"
},
"destination": {
"description": "Destination provides configuration necessary for syncing the Vault secret to Kubernetes. If the type is set to \"kubernetes.io/tls\", the Vault response fields \"certificate\" and \"private_key\" will be copied to fields \"tls.crt\" and \"tls.key\", respectively, in the Kubernetes secret.",
"description": "Destination provides configuration necessary for syncing the Vault secret to Kubernetes. If the type is set to \"kubernetes.io/tls\", \"tls.key\" will be set to the \"private_key\" response from Vault, and \"tls.crt\" will be set to \"certificate\" + \"ca_chain\" from the Vault response (\"issuing_ca\" is used when \"ca_chain\" is empty). The \"remove_roots_from_chain=true\" option is used with Vault to exclude the root CA from the Vault response.",
"properties": {
"annotations": {
"additionalProperties": {
Expand Down Expand Up @@ -71,7 +71,8 @@
"type": "boolean"
},
"expiryOffset": {
"description": "ExpiryOffset to use for computing when the certificate should be renewed. The rotation time will be difference between the expiration and the offset. Should be in duration notation e.g. 30s, 120s, etc. Set to empty string \"\" to prevent certificate rotation.",
"description": "ExpiryOffset to use for computing when the certificate should be renewed. The rotation time will be difference between the expiration and the offset. Should be in duration notation e.g. 30s, 120s, etc.",
"pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h))$",
"type": "string"
},
"format": {
Expand Down Expand Up @@ -148,6 +149,7 @@
},
"ttl": {
"description": "TTL for the certificate; sets the expiration date. If not specified the Vault role's default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount's max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA. Should be in duration notation e.g. 120s, 2h, etc.",
"pattern": "^([0-9]+(\\.[0-9]+)?(s|m|h))$",
"type": "string"
},
"uriSans": {
Expand All @@ -158,7 +160,7 @@
"type": "array"
},
"vaultAuthRef": {
"description": "VaultAuthRef of the VaultAuth resource If no value is specified the Operator will default to the `default` VaultAuth, configured in its own Kubernetes namespace.",
"description": "VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the `default` VaultAuth, configured in its own Kubernetes namespace.",
"type": "string"
}
},
Expand All @@ -180,6 +182,20 @@
"format": "int64",
"type": "integer"
},
"lastGeneration": {
"description": "LastGeneration is the Generation of the last reconciled resource.",
"format": "int64",
"type": "integer"
},
"lastRotation": {
"description": "LastLastRotation of the certificate.",
"format": "int64",
"type": "integer"
},
"secretMAC": {
"description": "SecretMAC used when deciding whether new Vault secret data should be synced. \n The controller will compare the \"new\" Vault secret data to this value using HMAC, if they are different, then the data will be synced to the Destination. \n The SecretMac is also used to detect drift in the Destination Secret's Data. If drift is detected the data will be synced to the Destination.",
"type": "string"
},
"serialNumber": {
"type": "string"
},
Expand All @@ -189,6 +205,8 @@
},
"required": [
"error",
"lastGeneration",
"lastRotation",
"valid"
],
"type": "object",
Expand Down
Loading

0 comments on commit 2e63c81

Please sign in to comment.