Skip to content

Commit

Permalink
feat(CRD): Add Hashicorp secret operator crds (#189)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Syndlex
Syndlex authored Jul 18, 2023
1 parent 48d0c33 commit 3bc5d4b
Show file tree
Hide file tree
Showing 5 changed files with 859 additions and 0 deletions.
231 changes: 231 additions & 0 deletions secrets.hashicorp.com/vaultauth_v1beta1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,231 @@
{
"description": "VaultAuth is the Schema for the vaultauths API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "VaultAuthSpec defines the desired state of VaultAuth",
"properties": {
"appRole": {
"description": "AppRole specific auth configuration, requires that the Method be set to `appRole`.",
"properties": {
"roleId": {
"description": "RoleID of the AppRole Role to use for authenticating to Vault.",
"type": "string"
},
"secretRef": {
"description": "SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the AppRole Role's secretID.",
"type": "string"
}
},
"required": [
"roleId",
"secretRef"
],
"type": "object",
"additionalProperties": false
},
"aws": {
"description": "AWS specific auth configuration, requires that Method be set to `aws`.",
"properties": {
"headerValue": {
"description": "The Vault header value to include in the STS signing request",
"type": "string"
},
"iamEndpoint": {
"description": "The IAM endpoint to use; if not set will use the default",
"type": "string"
},
"irsaServiceAccount": {
"description": "IRSAServiceAccount name to use with IAM Roles for Service Accounts (IRSA), and should be annotated with \"eks.amazonaws.com/role-arn\". This ServiceAccount will be checked for other EKS annotations: eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration",
"type": "string"
},
"region": {
"description": "AWS Region to use for signing the authentication request",
"type": "string"
},
"role": {
"description": "Vault role to use for authenticating",
"type": "string"
},
"secretRef": {
"description": "SecretRef is the name of a Kubernetes Secret which holds credentials for AWS. Expected keys include `access_key_id`, `secret_access_key`, `session_token`",
"type": "string"
},
"sessionName": {
"description": "The role session name to use when creating a webidentity provider",
"type": "string"
},
"stsEndpoint": {
"description": "The STS endpoint to use; if not set will use the default",
"type": "string"
}
},
"required": [
"role"
],
"type": "object",
"additionalProperties": false
},
"headers": {
"additionalProperties": {
"type": "string"
},
"description": "Headers to be included in all Vault requests.",
"type": "object"
},
"jwt": {
"description": "JWT specific auth configuration, requires that the Method be set to `jwt`.",
"properties": {
"audiences": {
"description": "TokenAudiences to include in the ServiceAccount token.",
"items": {
"type": "string"
},
"type": "array"
},
"role": {
"description": "Role to use for authenticating to Vault.",
"type": "string"
},
"secretRef": {
"description": "SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must have a key named `jwt` which holds the JWT token.",
"type": "string"
},
"serviceAccount": {
"description": "ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's JWT authentication backend.",
"type": "string"
},
"tokenExpirationSeconds": {
"default": 600,
"description": "TokenExpirationSeconds to set the ServiceAccount token.",
"format": "int64",
"minimum": 600,
"type": "integer"
}
},
"required": [
"role"
],
"type": "object",
"additionalProperties": false
},
"kubernetes": {
"description": "Kubernetes specific auth configuration, requires that the Method be set to `kubernetes`.",
"properties": {
"audiences": {
"description": "TokenAudiences to include in the ServiceAccount token.",
"items": {
"type": "string"
},
"type": "array"
},
"role": {
"description": "Role to use for authenticating to Vault.",
"type": "string"
},
"serviceAccount": {
"description": "ServiceAccount to use when authenticating to Vault's kubernetes authentication backend.",
"type": "string"
},
"tokenExpirationSeconds": {
"default": 600,
"description": "TokenExpirationSeconds to set the ServiceAccount token.",
"format": "int64",
"minimum": 600,
"type": "integer"
}
},
"required": [
"role",
"serviceAccount"
],
"type": "object",
"additionalProperties": false
},
"method": {
"description": "Method to use when authenticating to Vault.",
"enum": [
"kubernetes",
"jwt",
"appRole",
"aws"
],
"type": "string"
},
"mount": {
"description": "Mount to use when authenticating to auth method.",
"type": "string"
},
"namespace": {
"description": "Namespace to auth to in Vault",
"type": "string"
},
"params": {
"additionalProperties": {
"type": "string"
},
"description": "Params to use when authenticating to Vault",
"type": "object"
},
"storageEncryption": {
"description": "StorageEncryption provides the necessary configuration to encrypt the client storage cache. This should only be configured when client cache persistence with encryption is enabled. This is done by passing setting the manager's commandline argument --client-cache-persistence-model=direct-encrypted. Typically there should only ever be one VaultAuth configured with StorageEncryption in the Cluster, and it should have the label: cacheStorageEncryption=true",
"properties": {
"keyName": {
"description": "KeyName to use for encrypt/decrypt operations via Vault Transit.",
"type": "string"
},
"mount": {
"description": "Mount path of the Transit engine in Vault.",
"type": "string"
}
},
"required": [
"keyName",
"mount"
],
"type": "object",
"additionalProperties": false
},
"vaultConnectionRef": {
"description": "VaultConnectionRef of the corresponding VaultConnection CustomResource. If no value is specified the Operator will default to the `default` VaultConnection, configured in its own Kubernetes namespace.",
"type": "string"
}
},
"required": [
"method",
"mount"
],
"type": "object",
"additionalProperties": false
},
"status": {
"description": "VaultAuthStatus defines the observed state of VaultAuth",
"properties": {
"error": {
"type": "string"
},
"valid": {
"description": "Valid auth mechanism.",
"type": "boolean"
}
},
"required": [
"error",
"valid"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}
64 changes: 64 additions & 0 deletions secrets.hashicorp.com/vaultconnection_v1beta1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
{
"description": "VaultConnection is the Schema for the vaultconnections API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "VaultConnectionSpec defines the desired state of VaultConnection",
"properties": {
"address": {
"description": "Address of the Vault server",
"type": "string"
},
"caCertSecretRef": {
"description": "CACertSecretRef is the name of a Kubernetes secret containing the trusted PEM encoded CA certificate chain as `ca.crt`.",
"type": "string"
},
"headers": {
"additionalProperties": {
"type": "string"
},
"description": "Headers to be included in all Vault requests.",
"type": "object"
},
"skipTLSVerify": {
"description": "SkipTLSVerify for TLS connections.",
"type": "boolean"
},
"tlsServerName": {
"description": "TLSServerName to use as the SNI host for TLS connections.",
"type": "string"
}
},
"required": [
"address"
],
"type": "object",
"additionalProperties": false
},
"status": {
"description": "VaultConnectionStatus defines the observed state of VaultConnection",
"properties": {
"valid": {
"description": "Valid auth mechanism.",
"type": "boolean"
}
},
"required": [
"valid"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}
Loading

0 comments on commit 3bc5d4b

Please sign in to comment.