Documentation
¶
Overview ¶
Package v1 contains API Schema definitions for the vault v1 API group +kubebuilder:object:generate=true +groupName=vault.vault-go.ibm.com
Index ¶
- Variables
- type AuthConfig
- type AuthData
- type HCLPolicies
- type IntermediateOptions
- type JWTAuthConfig
- type JWTRole
- type JWTRoleList
- type JWTRoleParameters
- type JWTRoleSpec
- type JWTRoleStatus
- type KVKey
- type KVPath
- type PKIACL
- type PKIConfig
- type PKIRole
- type PKIRoleBackendConfig
- type PKIRoleList
- type PKIRoleSpec
- type PKIRoleStatus
- type PolicyPath
- type RootOptions
- type SSHRole
- type SSHRoleList
- type SSHRoleParameters
- type SSHRoleSpec
- type SSHRoleStatus
- type SecretMeta
- type SecretMetaList
- type SecretMetaSpec
- type SecretMetaStatus
- type SecretTypeEnum
- type VaultAuth
- type VaultAuthList
- type VaultAuthSpec
- type VaultAuthStatus
- type VaultEndpoint
- type VaultEndpointConfigCRL
- type VaultEndpointConfigURLs
- type VaultEndpointList
- type VaultEndpointSpec
- type VaultEndpointStatus
- type VaultGenerateOptions
- type VaultMountOptions
- type VaultMountTuneOptions
- type VaultNamespace
- type VaultNamespaceList
- type VaultNamespaceSpec
- type VaultNamespaceStatus
- type VaultPolicy
- type VaultPolicyList
- type VaultPolicySpec
- type VaultPolicyStatus
- type VaultRole
- type VaultRoleData
- type VaultRoleList
- type VaultRoleSpec
- type VaultRoleStatus
Constants ¶
This section is empty.
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "vault.vault-go.ibm.com", Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type AuthConfig ¶
type AuthConfig struct {
DefaultLeaseTTL int64 `json:"defaultLeaseTTL,omitempty" yaml:"defaultLeaseTTL,omitempty" vault:"default_lease_ttl"`
MaxLeaseTTL int64 `json:"maxLeaseTTL,omitempty" yaml:"maxLeaseTTL,omitempty" vault:"max_lease_ttl"`
}
AuthConfig for setting TTL
func (*AuthConfig) DeepCopy ¶
func (in *AuthConfig) DeepCopy() *AuthConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthConfig.
func (*AuthConfig) DeepCopyInto ¶
func (in *AuthConfig) DeepCopyInto(out *AuthConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthData ¶
type AuthData struct {
Type string `json:"type" yaml:"type" vault:"type"`
Description string `json:"description" yaml:"description" vault:"description"`
Config AuthConfig `json:"config" yaml:"config" vault:"config"`
}
AuthData is a struct for passing data to vault rest calls
func (*AuthData) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthData.
func (*AuthData) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type HCLPolicies ¶
type HCLPolicies struct {
Paths []PolicyPath `json:"paths,omitempty" yaml:"paths,omitempty" hcl:"path"`
}
HCLPolicies is an array of policies
func (*HCLPolicies) DeepCopy ¶
func (in *HCLPolicies) DeepCopy() *HCLPolicies
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HCLPolicies.
func (*HCLPolicies) DeepCopyInto ¶
func (in *HCLPolicies) DeepCopyInto(out *HCLPolicies)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IntermediateOptions ¶
type IntermediateOptions struct {
RootCANamespace string `json:"rootCANamespace,omitempty" yaml:"rootCANamespace,omitempty"`
RootCAPath string `json:"rootCAPath,omitempty" yaml:"rootCAPath,omitempty"`
GenerateOptions *VaultGenerateOptions `json:"generateOptions,omitempty" yaml:"generateOptions,omitempty"`
}
func (*IntermediateOptions) DeepCopy ¶
func (in *IntermediateOptions) DeepCopy() *IntermediateOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntermediateOptions.
func (*IntermediateOptions) DeepCopyInto ¶
func (in *IntermediateOptions) DeepCopyInto(out *IntermediateOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JWTAuthConfig ¶
type JWTAuthConfig struct {
// OIDCDiscoveryURL oidc_discovery_url (string: <optional>) - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys".
OIDCDiscoveryURL string `json:"oidcDiscoveryURL,omitempty" yaml:"oidcDiscoveryURL,omitempty" vault:"oidc_discovery_url,omitempty"`
// OIDCDiscoveryCAPem oidc_discovery_ca_pem (string: <optional>) - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.
OIDCDiscoveryCAPem string `json:"oidcDiscoveryCAPem,omitempty" yaml:"oidcDiscoveryCAPem,omitempty" vault:"oidc_discovery_ca_pem,omitempty"`
// OIDCClientID oidc_client_id (string: <optional>) - The OAuth Client ID from the provider for OIDC roles.
OIDCClientID string `json:"oidcClientID,omitempty" yaml:"oidcClientID,omitempty" vault:"oidc_client_id,omitempty"`
// OIDCClientSecret oidc_client_secret (string: <optional>) - The OAuth Client Secret from the provider for OIDC roles.
OIDCClientSecret string `json:"oidcClientSecret,omitempty" yaml:"oidcClientSecret,omitempty" vault:"oidc_client_secret,omitempty"`
// OIDCResponseMode oidc_response_mode (string: <optional>) - The response mode to be used in the OAuth2 request. Allowed values are "query" and "form_post". Defaults to "query".
OIDCResponseMode string `json:"oidcResponseMode,omitempty" yaml:"oidcResponseMode,omitempty" vault:"oidc_response_mode,omitempty"`
// OIDCResponseTypes oidc_response_types (comma-separated string, or array of strings: <optional>) - The response types to request. Allowed values are "code" and "id_token". Defaults to "code". Note: "id_token" may only be used if "oidc_response_mode" is set to "form_post".
OIDCResponseTypes string `json:"oidcResponseTypes,omitempty" yaml:"oidcResponseTypes,omitempty" vault:"oidc_response_types,omitempty"`
// JWKSURL jwks_url (string: <optional>) - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
JWKSURL string `json:"JWKSURL,omitempty" yaml:"JWKSURL,omitempty" vault:"jwks_url,omitempty"`
// JWKSCAPem jwks_ca_pem (string: <optional>) - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JWKSCAPem string `json:"JWKSCAPem,omitempty" yaml:"JWKSCAPem,omitempty" vault:"jwks_ca_pem,omitempty"`
// JWTValidationPubkeys jwt_validation_pubkeys (comma-separated string, or array of strings: <optional>) - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url".
JWTValidationPubkeys string `json:"jwtValidationPubkeys,omitempty" yaml:"jwtValidationPubkeys,omitempty" vault:"jwt_validation_pubkeys,omitempty"`
// BoundIssuer bound_issuer (string: <optional>) - The value against which to match the iss claim in a JWT.
BoundIssuer string `json:"boundIssuer,omitempty" yaml:"boundIssuer,omitempty" vault:"bound_issuer,omitempty"`
// JWTSupportedAlgs jwt_supported_algs (comma-separated string, or array of strings: <optional>) - A list of supported signing algorithms. Defaults to [RS256]. (Available algorithms + EdDSA)
JWTSupportedAlgs string `json:"jwtSupportedAlgs,omitempty" yaml:"jwtSupportedAlgs,omitempty" vault:"jwt_supported_algs,omitempty"`
// DefaultRole default_role (string: <optional>) - The default role to use if none is provided during login.
DefaultRole string `json:"defaultRole,omitempty" yaml:"defaultRole,omitempty" vault:"default_role,omitempty"`
// ProviderConfig provider_config (map: <optional>) - Configuration options for provider-specific handling. Providers with specific handling include Azure; the options are described in each provider's section in OIDC Provider Setup
ProviderConfig map[string]string `json:"providerConfig,omitempty" yaml:"providerConfig,omitempty" vault:"provider_config,omitempty"`
}
JWTAuthConfig is config for JWT
func (*JWTAuthConfig) DeepCopy ¶
func (in *JWTAuthConfig) DeepCopy() *JWTAuthConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthConfig.
func (*JWTAuthConfig) DeepCopyInto ¶
func (in *JWTAuthConfig) DeepCopyInto(out *JWTAuthConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JWTRole ¶
type JWTRole struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec JWTRoleSpec `json:"spec,omitempty"`
Status JWTRoleStatus `json:"status,omitempty"`
}
JWTRole is the Schema for the jwtroles API
func (*JWTRole) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTRole.
func (*JWTRole) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*JWTRole) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type JWTRoleList ¶
type JWTRoleList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []JWTRole `json:"items"`
}
JWTRoleList contains a list of JWTRole
func (*JWTRoleList) DeepCopy ¶
func (in *JWTRoleList) DeepCopy() *JWTRoleList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTRoleList.
func (*JWTRoleList) DeepCopyInto ¶
func (in *JWTRoleList) DeepCopyInto(out *JWTRoleList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*JWTRoleList) DeepCopyObject ¶
func (in *JWTRoleList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type JWTRoleParameters ¶
type JWTRoleParameters struct {
// RoleType role_type (string: <optional>) - Type of role, either "oidc" (default) or "jwt".
RoleType string `json:"roleType,omitempty" yaml:"roleType,omitempty" vault:"role_type,omitempty"`
// BoundAudiences bound_audiences (array: <optional>) - List of aud claims to match against. Any match is sufficient. Required for "jwt" roles, optional for "oidc" roles.
BoundAudiences []string `json:"boundAudiences,omitempty" yaml:"boundAudiences,omitempty" vault:"bound_audiences,omitempty"`
// UserClaim user_claim (string: <required>) - The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim value must be a string.
UserClaim string `json:"userClaim,omitempty" yaml:"userClaim,omitempty" vault:"user_claim,omitempty"`
// ClockSkewLeeway clock_skew_leeway (int: <optional>) - The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles.
ClockSkewLeeway int64 `json:"clockSkewLeeway,omitempty" yaml:"clockSkewLeeway,omitempty" vault:"clock_skew_leeway,omitempty"`
// ExpirationLeeway expiration_leeway (int: <optional>) - The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles.
ExpirationLeeway int64 `json:"expirationLeeway,omitempty" yaml:"expirationLeeway,omitempty" vault:"expiration_leeway,omitempty"`
// NotBeforeLeeway not_before_leeway (int: <optional>) - The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles.
NotBeforeLeeway int64 `json:"notBeforeLeeway,omitempty" yaml:"notBeforeLeeway,omitempty" vault:"not_before_leeway,omitempty"`
// BoundSubject bound_subject (string: <optional>) - If set, requires that the sub claim matches this value.
BoundSubject string `json:"boundSubject,omitempty" yaml:"boundSubject,omitempty" vault:"bound_subject,omitempty"`
// BoundClaims bound_claims (map: <optional>) - If set, a map of claims (keys) to match against respective claim values (values). The expected value may be a single string or a list of strings. The interpretation of the bound claim values is configured with bound_claims_type. Keys support JSON pointer syntax for referencing claims.
BoundClaims map[string]string `json:"boundClaims,omitempty" yaml:"boundClaims,omitempty" vault:"bound_claims,omitempty"`
// BoundClaimsType bound_claims_type (string: "string") - Configures the interpretation of the bound_claims values. If "string" (the default), the values will treated as string literals and must match exactly. If set to "glob", the values will be interpreted as globs, with * matching any number of characters.
BoundClaimsType string `json:"boundClaimsType,omitempty" yaml:"boundClaimsType,omitempty" vault:"bound_claims_type,omitempty"`
// GroupClaim groups_claim (string: <optional>) - The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. Supports JSON pointer syntax for referencing claims.
GroupClaim string `json:"groupClaim,omitempty" yaml:"groupClaim,omitempty" vault:"groups_claim,omitempty"`
// ClaimMappings claim_mappings (map: <optional>) - If set, a map of claims (keys) to be copied to specified metadata fields (values). Keys support JSON pointer syntax for referencing claims.
ClaimMappings map[string]string `json:"claimMappings,omitempty" yaml:"claimMappings,omitempty" vault:"claim_mappings,omitempty"`
// OIDCScopes oidc_scopes (list: <optional>) - If set, a list of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
OIDCScopes []string `json:"oidcScopes,omitempty" yaml:"oidcScopes,omitempty" vault:"oidc_scopes,omitempty"`
// AllowedRedirectURLs allowed_redirect_uris (list: <required>) - The list of allowed values for redirect_uri during OIDC logins.
AllowedRedirectURLs []string `json:"allowedRedirectURLs,omitempty" yaml:"allowedRedirectURLs,omitempty" vault:"allowed_redirect_uris,omitempty"`
// tokenTTL tokenTTLng (bool: false) - Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
VerboseOIDCLogging bool `json:"verboseOIDCLogging,omitempty" yaml:"verboseOIDCLogging,omitempty" vault:"verbose_oidc_logging,omitempty"`
// TokenTTL token_ttl (integer: 0 or string: "") - The incre mental lifetime for generat ed tokens. This current value of this will be referenced at renewal time.
TokenTTL string `json:"tokenTTL,omitempty" yaml:"tokenTTL,omitempty" vault:"token_ttl,omitempty"`
// TokenMaxTTL token_max_ttl (integer: 0 or string: "") - The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.
TokenMaxTTL int64 `json:"tokenMaxTTL,omitempty" yaml:"tokenMaxTTL,omitempty" vault:"token_max_ttl,omitempty"`
// TokenPolicies token_policies (array: [] or comma-delimited string: "") - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
TokenPolicies []string `json:"tokenPolicies,omitempty" yaml:"tokenPolicies,omitempty" vault:"token_policies,omitempty"`
// TokenBoundCIDRs token_bound_cidrs (array: [] or comma-delimited string: "") - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
TokenBoundCIDRs string `json:"tokenBoundCIDRs,omitempty" yaml:"tokenBoundCIDRs,omitempty" vault:"token_bound_cidrs,omitempty"`
// TokenExplicitMaxTTL token_explicit_max_ttl (integer: 0 or string: "") - If set, will encode an explicit max TTL onto the token. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.
TokenExplicitMaxTTL int64 `json:"tokenExplicitMaxTTL,omitempty" yaml:"tokenExplicitMaxTTL,omitempty" vault:"token_explicit_max_ttl,omitempty"`
// TokenNoDefaultPolicy token_no_default_policy (bool: false) - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
TokenNoDefaultPolicy bool `json:"tokenNoDefaultPolicy,omitempty" yaml:"tokenNoDefaultPolicy,omitempty" vault:"token_no_default_policy,omitempty"`
// TokenNumUses token_num_uses (integer: 0) - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. If you require the token to have the ability to create child tokens, you will need to set this value to 0.
TokenNumUses int `json:"tokenNumUses,omitempty" yaml:"tokenNumUses,omitempty" vault:"token_num_uses,omitempty"`
// TokenPeriod token_period (integer: 0 or string: "") - The period, if any, to set on the token.
TokenPeriod int64 `json:"tokenPeriod,omitempty" yaml:"tokenPeriod,omitempty" vault:"token_period,omitempty"`
// TokenType token_type (string: "") - The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.
TokenType string `json:"tokenType,omitempty" yaml:"tokenType,omitempty" vault:"token_type,omitempty"`
}
JWTRoleParameters parameters to feen to jwt role endpoint
func (*JWTRoleParameters) DeepCopy ¶
func (in *JWTRoleParameters) DeepCopy() *JWTRoleParameters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTRoleParameters.
func (*JWTRoleParameters) DeepCopyInto ¶
func (in *JWTRoleParameters) DeepCopyInto(out *JWTRoleParameters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JWTRoleSpec ¶
type JWTRoleSpec struct {
AuthPath string `json:"authPath" yaml:"authPath"`
RoleName string `json:"roleName" yaml:"roleName"`
VaultNamespace string `json:"vaultNamespace" yaml:"vaultNamespace"`
Parameters JWTRoleParameters `json:"parameters" yaml:"parameters"`
}
JWTRoleSpec defines the desired state of JWTRole
func (*JWTRoleSpec) DeepCopy ¶
func (in *JWTRoleSpec) DeepCopy() *JWTRoleSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTRoleSpec.
func (*JWTRoleSpec) DeepCopyInto ¶
func (in *JWTRoleSpec) DeepCopyInto(out *JWTRoleSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JWTRoleStatus ¶
type JWTRoleStatus struct {
}
JWTRoleStatus defines the observed state of JWTRole
func (*JWTRoleStatus) DeepCopy ¶
func (in *JWTRoleStatus) DeepCopy() *JWTRoleStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTRoleStatus.
func (*JWTRoleStatus) DeepCopyInto ¶
func (in *JWTRoleStatus) DeepCopyInto(out *JWTRoleStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KVKey ¶
type KVKey struct {
Name string `json:"name,omitempty" yaml:"name,omitempty"`
Description string `json:"description,omitempty" yaml:"description,omitempty"`
}
KVKey is a key in the kv secret path
func (*KVKey) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KVKey.
func (*KVKey) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KVPath ¶
type KVPath struct {
Path string `json:"path,omitempty" yaml:"path,omitempty"`
Keys []KVKey `json:"keys,omitempty" yaml:"keys,omitempty"`
}
KVPath a path in the kv secret engine
func (*KVPath) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KVPath.
func (*KVPath) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PKIACL ¶
type PKIACL struct {
Path string `json:"path,omitempty" yaml:"path,omitempty"`
RoleName string `json:"roleName,omitempty" yaml:"roleName,omitempty"`
}
PKIConfig a path in the pki secret engine
func (*PKIACL) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIACL.
func (*PKIACL) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PKIConfig ¶
type PKIConfig struct {
// ExportPrivateKey (bool: false) –
// If true, the private key will be returned in the response;
// if false the private key will not be returned and cannot be retrieved later.
ExportPrivateKey bool `json:"exportPrivateKey,omitempty" yaml:"exportPrivateKey,omitempty"`
IntermediateOptions IntermediateOptions `json:"intermediateOptions,omitempty" yaml:"intermediateOptions,omitempty"`
RootOptions RootOptions `json:"rootOptions,omitempty" yaml:"rootOptions,omitempty"`
URLs *VaultEndpointConfigURLs `json:"urls,omitempty" yaml:"urls,omitempty"`
CRL *VaultEndpointConfigCRL `json:"crl,omitempty" yaml:"crl,omitempty"`
}
PKIConfig is the pki mount configuration
func (*PKIConfig) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIConfig.
func (*PKIConfig) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PKIRole ¶
type PKIRole struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec PKIRoleSpec `json:"spec,omitempty"`
Status PKIRoleStatus `json:"status,omitempty"`
}
PKIRole is the Schema for the pkiroles API
func (*PKIRole) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIRole.
func (*PKIRole) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PKIRole) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PKIRoleBackendConfig ¶
type PKIRoleBackendConfig struct {
// start Distinguished Name ***
// CommonName (string: <required>) – Specifies the requested CN for the certificate. If the CN is allowed by
// role policy, it will be issued.
CommonName string `json:"commonName,omitempty" yaml:"commonName,omitempty" vault:"common_name,omitempty"`
// Country (string: "") – Specifies the C (Country) values in the subject field of issued certificates. This
// is a comma-separated string or JSON array.
Country []string `json:"country,omitempty" yaml:"country,omitempty" vault:"country,omitempty"`
// Locality (string: "") – Specifies the L (Locality) values in the subject field of issued certificates.
// This is a comma-separated string or JSON array.
Locality []string `json:"locality,omitempty" yaml:"locality,omitempty" vault:"locality,omitempty"`
// organization (string: "") – Specifies the O (Organization) values in the subject field of issued certificates.
// This is a comma-separated string or JSON array.
Organization []string `json:"organization,omitempty" yaml:"organization,omitempty" vault:"organization,omitempty"`
// OU (string: "") – Specifies the OU (OrganizationalUnit) values in the subject field of issued certificates.
// This is a comma-separated string or JSON array.
OU []string `json:"ou,omitempty" yaml:"ou,omitempty" vault:"ou,omitempty"`
// postalCode (string: "") – Specifies the Postal Code values in the subject field of issued certificates.
// This is a comma-separated string or JSON array.
PostalCode []string `json:"postalCode,omitempty" yaml:"postalCode,omitempty" vault:"postal_code,omitempty"`
// Province (string: "") – Specifies the ST (Province) values in the subject field of issued certificates.
// This is a comma-separated string or JSON array.
Province []string `json:"province,omitempty" yaml:"province,omitempty" vault:"province,omitempty"`
// SerialNumber (string: "") – Specifies the Serial Number, if any. Otherwise Vault will generate a random
// serial for you. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.
SerialNumber string `json:"serialNumber,omitempty" yaml:"serialNumber,omitempty" vault:"serial_number,omitempty"`
// StreetAddress (string: "") – Specifies the Street Address values in the subject field of issued
// certificates. This is a comma-separated string or JSON array.
StreetAddress []string `json:"streetAddress,omitempty" yaml:"streetAddress,omitempty" vault:"street_address,omitempty"`
// AllowAnyName (bool: false) – Specifies if clients can request any CN. Useful in some circumstances,
// but make sure you understand whether it is appropriate for your installation before enabling it.
AllowAnyName bool `json:"allowAnyName,omitempty" yaml:"allowAnyName,omitempty" vault:"allow_any_name,omitempty"`
// AllowBareDomains (bool: false) – Specifies if clients can request certificates matching the value of the
// actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this
// allows clients to actually request a certificate containing the name example.com as one of the DNS values
// on the final certificate. In some scenarios, this can be considered a security risk.
AllowBareDomains bool `json:"allowBareDomains,omitempty" yaml:"allowBareDomains,omitempty" vault:"allow_bare_domains,omitempty"`
// AllowGlobDomains (bool: false) - Allows names specified in allowed_domains to contain glob patterns
// (e.g. ftp*.example.com). Clients will be allowed to request certificates with names matching the glob
// patterns.
AllowGlobDomains bool `json:"allowGlobDomains,omitempty" yaml:"allowGlobDomains,omitempty" vault:"allow_glob_domains,omitempty"`
// AllowIPSANs (bool: true) – Specifies if clients can request IP Subject Alternative Names. No authorization
// checking is performed except to verify that the given values are valid IP addresses.
AllowIPSANs bool `json:"allowIPSANs" yaml:"allowIPSANs" vault:"allow_ip_sans"`
// AllowLocalhost (bool: true) – Specifies if clients can request certificates for localhost as one of the
// requested common names. This is useful for testing and to allow clients on a single host to talk securely.
AllowLocalhost bool `json:"allowLocalhost" yaml:"allowLocalhost" vault:"allow_localhost"`
// AllowSubdomains (bool: false) – Specifies if clients can request certificates with CNs that are subdomains
// of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an
// allowed_domains value of example.com with this option set to true will allow foo.example.com and
// bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option.
AllowSubdomains bool `json:"allowSubdomains,omitempty" yaml:"allowSubdomains,omitempty" vault:"allow_subdomains"`
// AllowedDomains (list: []) – Specifies the domains of the role. This is used with the allow_bare_domains
// and allow_subdomains options.
AllowedDomains []string `json:"allowedDomains,omitempty" yaml:"allowedDomains,omitempty" vault:"allowed_domains,omitempty"`
// AllowedOtherSANs (string: "") – Defines allowed custom OID/UTF8-string SANs. This can be a comma-delimited
// list or a JSON string slice, where each element has the same format as OpenSSL: <oid>;<type>:<value>, but
// the only valid type is UTF8 or UTF-8. The value part of an element may be a * to allow any value with that
// OID. Alternatively, specifying a single * will allow any other_sans input.
AllowedOtherSANs string `json:"allowedOtherSANs,omitempty" yaml:"allowedOtherSANs,omitempty" vault:"allowed_other_sans,omitempty"`
// AllowedURISANs (string: "") - Defines allowed URI Subject Alternative Names. No authorization checking is
// performed except to verify that the given values are valid URIs. This can be a comma-delimited list or a
// JSON string slice. Values can contain glob patterns (e.g. spiffe://hostname/*).
AllowedURISANs []string `json:"allowedURISANs,omitempty" yaml:"allowedURISANs,omitempty" vault:"allowed_uri_sans,omitempty"`
// BasicConstraintesValidForNonCA (bool: false) - Mark Basic Constraints valid when issuing non-CA certificates.
BasicConstraintesValidForNonCA bool `` /* 148-byte string literal not displayed */
// ClientFlag (bool: true) – Specifies if certificates are flagged for client use.
ClientFlag bool `json:"clientFlag" yaml:"clientFlag" vault:"client_flag"`
// CodeSigningFlag (bool: false) – Specifies if certificates are flagged for code signing use.
CodeSigningFlag bool `json:"codeSigningFlag,omitempty" yaml:"codeSigningFlag,omitempty" vault:"code_signing_flag,omitempty"`
// yaml doenst understand annon structs
// DN (DN) is a term that describes the identifying information in a certificate and is part of the certificate
// itself. A certificate contains DN information for both the owner or requestor of the certificate (called
// the Subject DN) and the CA that issues the certificate (called the Issuer DN).
// DN `json:"dn,omitempty,omitempty" yaml:"dn,omitempty,omitempty" vault:"dn,omitempty"`
// email_protection_flag (bool: false) – Specifies if certificates are flagged for email protection use.
EmailProtectionFlag bool `json:"emailProtectionFlag,omitempty" yaml:"emailProtectionFlag,omitempty" vault:"email_protection_flag,omitempty"`
// EnforceHostnames (bool: true) – Specifies if only valid host names are allowed for CNs, DNS SANs, and the
// host part of email addresses.
EnforceHostnames bool `json:"enforceHostnames" yaml:"enforceHostnames" vault:"enforce_hostnames"`
// ExtKeyUsage (list: []) – Specifies the allowed extended key usage constraint on issued certificates. Valid
// values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply drop the ExtKeyUsage part of
// the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.
ExtKeyUsage []string `json:"extKeyUsage,omitempty" yaml:"extKeyUsage,omitempty" vault:"ext_key_usage,omitempty"`
// ExtKeyUsageOIDs (string: "") - A comma-separated string or list of extended key usage oids.
ExtKeyUsageOIDs []string `json:"extKeyUsageOIDs,omitempty" yaml:"extKeyUsageOIDs,omitempty" vault:"ext_key_usage_oids,omitempty"`
// GenerateLease (bool: false) – Specifies if certificates issued/signed against this role will have Vault
// leases attached to them. Certificates can be added to the CRL by vault revoke <lease_id> when certificates
// are associated with leases. It can also be done using the pki/revoke endpoint. However, when lease
// generation is disabled, invoking pki/revoke would be the only way to add the certificates to the CRL.
GenerateLease bool `json:"generateLease,omitempty" yaml:"generateLease,omitempty" vault:"generate_lease,omitempty"`
// KeyBits (int: 2048) – Specifies the number of bits to use for the generated keys. This will need to be
// changed for ec keys, e.g., 224 or 521.
KeyBits int `json:"keyBits,omitempty" yaml:"keyBits,omitempty" vault:"key_bits,omitempty"`
// KeyType (string: "rsa") – Specifies the type of key to generate for generated private keys and the type
// of key expected for submitted CSRs. Currently, rsa and ec are supported, or when signing CSRs any can be
// specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).
KeyType string `json:"keyType,omitempty" yaml:"keyType,omitempty" vault:"key_type,omitempty"`
// KeyUsage (list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]) – Specifies the allowed key
// usage constraint on issued certificates. Valid values can be found at
// https://golang.org/pkg/crypto/x509/#KeyUsage - simply drop the KeyUsage part of the value. Values are not
// case-sensitive. To specify no key usage constraints, set this to an empty list.
KeyUsage []string `json:"keyUsage" yaml:"keyUsage" vault:"key_usage"`
// MaxTTL (int: 0) – Specifies the maximum Time To Live provided as int number of seconds.
// Hour is the largest suffix. If not set, defaults to the system maximum lease TTL.
MaxTTL int64 `json:"maxTTL,omitempty" yaml:"maxTTL,omitempty" vault:"max_ttl,omitempty"`
// NoStore (bool: false) – If set, certificates issued/signed against this role will not be stored in the
// storage backend. This can improve performance when issuing large numbers of certificates. However,
// certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for
// certificates that are non-sensitive, or extremely short-lived. This option implies a value of false for
// generate_lease.
NoStore bool `json:"noStore,omitempty" yaml:"noStore,omitempty" vault:"no_store,omitempty"`
// NotBeforeDurationn (int: 30) – Specifies the seconds by which to backdate the NotBefore property.
NotBeforeDuration int `json:"notBeforeDuration,omitempty" yaml:"notBeforeDuration,omitempty" vault:"not_before_duration,omitempty"`
// PolicyIdentifiers (list: []) – A comma-separated string or list of policy OIDs.
PolicyIdentifiers []string `json:"policyIdentifiers,omitempty" yaml:"policyIdentifiers,omitempty" vault:"policy_identifiers,omitempty"`
// RequireCN (bool: true) - If set to false, makes the common_name field optional while generating a certificate.
RequireCN bool `json:"requireCN" yaml:"requireCN" vault:"require_cn"`
// TTL ttl (int64: 0) – Specifies the Time To Live value provided as seconds in int. If not set, uses the system default value or the value of max_ttl,
// whichever is shorter.
TTL int64 `json:"ttl,omitempty" yaml:"ttl,omitempty" vault:"ttl,omitempty"`
// ServerFlag (bool: true) – Specifies if certificates are flagged for server use.
ServerFlag bool `json:"serverFlag" yaml:"serverFlag" vault:"server_flag"`
// UseCSRCommonName (bool: true) – When used with the CSR signing endpoint, the common name in the CSR will
// be used instead of taken from the JSON data. This does not include any requested SANs in the CSR; use
// use_csr_sans for that.
UseCSRCommonName bool `json:"UseCSRCommonName" yaml:"UseCSRCommonName" vault:"use_csr_common_name"`
// UseCSRSANs (bool: true) – When used with the CSR signing endpoint, the subject alternate names in the CSR
// will be used instead of taken from the JSON data. This does not include the common name in the CSR; use
// use_csr_common_name for that.
UseCSRSANs bool `json:"UseCSRSANs" yaml:"UseCSRSANs" vault:"use_csr_sans"`
}
PKIRoleBackendConfig configures the role definition. Note that the allowed_domains, allow_subdomains, allow_glob_domains, and allow_any_name attributes are additive; between them nearly and across multiple roles nearly any issuing policy can be accommodated. server_flag, client_flag, and code_signing_flag are additive as well. If a client requests a certificate that is not allowed by the CN policy in the role, the request is denied.
func (*PKIRoleBackendConfig) DeepCopy ¶
func (in *PKIRoleBackendConfig) DeepCopy() *PKIRoleBackendConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIRoleBackendConfig.
func (*PKIRoleBackendConfig) DeepCopyInto ¶
func (in *PKIRoleBackendConfig) DeepCopyInto(out *PKIRoleBackendConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PKIRoleList ¶
type PKIRoleList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []PKIRole `json:"items"`
}
PKIRoleList contains a list of PKIRole
func (*PKIRoleList) DeepCopy ¶
func (in *PKIRoleList) DeepCopy() *PKIRoleList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIRoleList.
func (*PKIRoleList) DeepCopyInto ¶
func (in *PKIRoleList) DeepCopyInto(out *PKIRoleList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PKIRoleList) DeepCopyObject ¶
func (in *PKIRoleList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PKIRoleSpec ¶
type PKIRoleSpec struct {
// Name (string: <required>) – Specifies the name of the role to create. This is part of the request URL.
IssuerPath string `json:"issuerPath" yaml:"issuerPath"`
RoleName string `json:"roleName" yaml:"roleName"`
VaultNamespace string `json:"vaultNamespace" yaml:"vaultNamespace"`
Config PKIRoleBackendConfig `json:"config" yaml:"config"`
}
PKIRoleSpec defines the desired state of PKIRole
func (*PKIRoleSpec) DeepCopy ¶
func (in *PKIRoleSpec) DeepCopy() *PKIRoleSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIRoleSpec.
func (*PKIRoleSpec) DeepCopyInto ¶
func (in *PKIRoleSpec) DeepCopyInto(out *PKIRoleSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PKIRoleStatus ¶
type PKIRoleStatus struct {
}
PKIRoleStatus defines the observed state of PKIRole
func (*PKIRoleStatus) DeepCopy ¶
func (in *PKIRoleStatus) DeepCopy() *PKIRoleStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIRoleStatus.
func (*PKIRoleStatus) DeepCopyInto ¶
func (in *PKIRoleStatus) DeepCopyInto(out *PKIRoleStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicyPath ¶
type PolicyPath struct {
Name string `json:"path,omitempty" yaml:"path,omitempty" hcl:",key"`
Capabilities []string `json:"capabilities,omitempty" yaml:"capabilities,omitempty" hcl:"capabilities"`
}
PolicyPath defines the vault path and acl
func (*PolicyPath) DeepCopy ¶
func (in *PolicyPath) DeepCopy() *PolicyPath
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyPath.
func (*PolicyPath) DeepCopyInto ¶
func (in *PolicyPath) DeepCopyInto(out *PolicyPath)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RootOptions ¶
type RootOptions struct {
GenerateOptions *VaultGenerateOptions `json:"generateOptions,omitempty" yaml:"generateOptions,omitempty"`
}
func (*RootOptions) DeepCopy ¶
func (in *RootOptions) DeepCopy() *RootOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RootOptions.
func (*RootOptions) DeepCopyInto ¶
func (in *RootOptions) DeepCopyInto(out *RootOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SSHRole ¶
type SSHRole struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec SSHRoleSpec `json:"spec,omitempty"`
Status SSHRoleStatus `json:"status,omitempty"`
}
SSHRole is the Schema for the sshroles API
func (*SSHRole) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSHRole.
func (*SSHRole) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SSHRole) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type SSHRoleList ¶
type SSHRoleList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []SSHRole `json:"items"`
}
SSHRoleList contains a list of SSHRole
func (*SSHRoleList) DeepCopy ¶
func (in *SSHRoleList) DeepCopy() *SSHRoleList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSHRoleList.
func (*SSHRoleList) DeepCopyInto ¶
func (in *SSHRoleList) DeepCopyInto(out *SSHRoleList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SSHRoleList) DeepCopyObject ¶
func (in *SSHRoleList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type SSHRoleParameters ¶
type SSHRoleParameters struct {
// Key (string: "") – Specifies the name of the registered key in Vault. Before creating the role, use the keys/ endpoint to create a named key. This is required for "Dynamic Key" type.
Key string `json:"key" yaml:"key" vault:"key,omitempty"`
// AdminUser admin_user (string: "") – Specifies the admin user at remote host. The shared key being registered should be for this user and should have root or sudo privileges. Every time a dynamic credential is generated for a client, Vault uses this admin username to login to remote host and install the generated credential. This is required for Dynamic Key type.
AdminUser string `json:"adminUser" yaml:"adminUser" vault:"admin_user,omitempty"`
// For the CA type, if you wish this to be a valid principal, it must also be in allowed_users.
DefaultUser string `json:"defaultUser" yaml:"defaultUser" vault:"default_user,omitempty"`
// CIDRListcidr_list (string: "") – Specifies a comma separated list of CIDR blocks for which the role is applicable for. It is possible that a same set of CIDR blocks are part of multiple roles. This is a required parameter, unless the role is registered under the /config/zeroaddress endpoint.
CIDRList string `json:"cidrList" yaml:"cidrList" vault:"cidr_list,omitempty"`
// ExcludeCIDRList exclude_cidr_list (string: "") – Specifies a comma-separated list of CIDR blocks. IP addresses belonging to these blocks are not accepted by the role. This is particularly useful when big CIDR blocks are being used by the role and certain parts need to be kept out.
ExcludeCIDRList string `json:"excludeCIDRList" yaml:"excludeCIDRList" vault:"exclude_cidr_list,omitempty"`
// Port port (int: 22) – Specifies the port number for SSH connection. Port number does not play any role in OTP generation. For the otp secrets engine type, this is just a way to inform the client about the port number to use. The port number will be returned to the client by Vault along with the OTP.
Port int `json:"port" yaml:"port" vault:"port,omitempty"`
// KeyType key_type (string: <required>) – Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
KeyType string `json:"keyType" yaml:"keyType" vault:"key_type,omitempty"`
// KeyBits key_bits (int: 1024) – Specifies the length of the RSA dynamic key in bits. This can be either 1024 or 2048.
KeyBits int `json:"keyBits" yaml:"keyBits" vault:"key_bits,omitempty"`
// install_script (string: "") – Specifies the script used to install and uninstall public keys in the target machine. Defaults to the built-in script.
InstallScript string `json:"installScript" yaml:"installScript" vault:"install_scripts,omitempty"`
// AllowedUsers allowed_users (string: "") – If this option is not specified, or if it is *, the client can request a credential for any valid user at the remote host, including the admin user. If only certain usernames are to be allowed, then this list enforces it. If this field is set, then credentials can only be created for default_user and usernames present in this list. Setting this option will enable all the users with access this role to fetch credentials for all other usernames in this list. Use with caution. N.B.: if the type is ca, an empty list does not allow any user; instead you must use * to enable this behavior.
AllowedUsers string `json:"allowedUsers" yaml:"allowedUsers" vault:"allowed_users,omitempty"`
// AllowedUsersTemplate allowed_users_template (bool: false) - If set, allowed_users can be specified using identity template policies. Non-templated users are also permitted.
AllowedUsersTemplate bool `json:"allowedUsersTemplate" yaml:"allowedUsersTemplate" vault:"allowed_users_template,omitempty"`
// AllowedDomains allowed_domains (string: "") – The list of domains for which a client can request a host certificate. If this option is explicitly set to "*", then credentials can be created for any domain. See also allow_bare_domains and allow_subdomains.
AllowedDomains string `json:"allowedDomains" yaml:"allowedDomains" vault:"allowed_domains,omitempty"`
// KeyOptionSpecs key_option_specs (string: "") – Specifies a comma separated option specification which will be prefixed to RSA keys in the remote host's authorized_keys file. N.B.: Vault does not check this string for validity.
KeyOptionSpecs string `json:"keyOptionSpecs" yaml:"keyOptionSpecs" vault:"key_option_specs,omitempty"`
// TTL ttl (string: "") – Specifies the Time To Live value provided as a string duration with time suffix. Hour is the largest suffix. If not set, uses the system default value or the value of max_ttl, whichever is shorter.
TTL string `json:"ttl" yaml:"ttl" vault:"ttl,omitempty"`
// MaxTTL max_ttl (string: "") – Specifies the maximum Time To Live provided as a string duration with time suffix. Hour is the largest suffix. If not set, defaults to the system maximum lease TTL.
MaxTTL string `json:"maxTTL" yaml:"maxTTL" vault:"max_ttl,omitempty"`
// AllowedCriticalOptions allowed_critical_options (string: "") – Specifies a comma-separated list of critical options that certificates can have when signed. To allow any critical options, set this to an empty string. Will default to allowing any critical options.
AllowedCriticalOptions string `json:"allowedCriticalOptions" yaml:"allowedCriticalOptions" vault:"allowed_critical_options,omitempty"`
// AllowedExtensions allowed_extensions (string: "") – Specifies a comma-separated list of extensions that certificates can have when signed. To allow any extensions, set this to an empty string. Will default to allowing any extensions. For the list of extensions, take a look at the sshd manual's AUTHORIZED_KEYS FILE FORMAT section. You should add a permit- before the name of extension to allow it.
AllowedExtensions string `json:"allowedExtensions" yaml:"allowedExtensions" vault:"allowed_extensions,omitempty"`
// DefaultCriticalOptions default_critical_options (map<string|string>: "") – Specifies a map of critical options certificates should have if none are provided when signing. This field takes in key value pairs in JSON format. Note that these are not restricted by allowed_critical_options. Defaults to none.
DefaultCriticalOptions map[string]string `json:"defaultCriticalOptions" yaml:"defaultCriticalOptions" vault:"default_critical_options,omitempty"`
// DefaultExtensions default_extensions (map<string|string>: "") – Specifies a map of extensions certificates should have if none are provided when signing. This field takes in key value pairs in JSON format. Note that these are not restricted by allowed_extensions. Defaults to none.
DefaultExtensions map[string]string `json:"defaultExtensions" yaml:"defaultExtensions" vault:"default_extensions,omitempty"`
// AllowUserCertificates allow_user_certificates (bool: false) – Specifies if certificates are allowed to be signed for use as a 'user'.
AllowUserCertificates bool `json:"allowUserCertificates" yaml:"allowUserCertificates" vault:"allow_user_certificates,omitempty"`
// AllowHostCertificates allow_host_certificates (bool: false) – Specifies if certificates are allowed to be signed for use as a 'host'.
AllowHostCertificates bool `json:"allowHostCertificates" yaml:"allowHostCertificates" vault:"allow_host_certificates,omitempty"`
// AllowBareDomains allow_bare_domains (bool: false) – Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains, e.g. "example.com". This is a separate option as in some cases this can be considered a security threat.
AllowBareDomains bool `json:"allowBareDomains" yaml:"allowBareDomains" vault:"allow_bare_domains,omitempty"`
// AllowSubdomains allow_subdomains (bool: false) – Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains, e.g. if "example.com" is part of allowed_domains, this allows "foo.example.com".
AllowSubdomains bool `json:"allowSubdomains" yaml:"allowSubdomains" vault:"allow_subdomains,omitempty"`
// TokenDisplayName allow_user_key_ids (bool: false) – Specifies if users can override the key ID for a signed certificate with the "key_id" field. When false, the key ID will always be the token display name. The key ID is logged by the SSH server and can be useful for auditing.
TokenDisplayName bool `json:"tokenDisplayName" yaml:"tokenDisplayName" vault:"tokenDisplayName,omitempty"`
// KeyIDFormat key_id_format (string: "" KeyIDFormat) – When supplied, KeyIDFormatthis value specifies KeyIDFormat a custom format for the key id of a signed certificate. The following variables are available for use: '{{token_display_name}}' - The display name of the token used to make the request. '{{role_name}}' - The name of the role signing the request. '{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed. e.g. "custom-keyid-{{token_display_name}}"
KeyIDFormat string `json:"keyIDFormat" yaml:"keyIDFormat" vault:"key_id_format,omitempty"`
// AllowedUserKey allowed_user_key_lengths (map<string|int>: "") – Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.
AllowedUserKey map[string]int `json:"allowedUserKey" yaml:"allowedUserKey" vault:"allowed_user_key,omitempty"`
// AlgorithmSigner algorithm_signer (string: "ssh-rsa") - Algorithm to sign keys with. Valid values are ssh-rsa, rsa-sha2-256, and rsa-sha2-512. Note that ssh-rsa is now considered insecure and is not supported by current OpenSSH versions. Defaults to ssh-rsa for backwards compatibility.
AlgorithmSigner string `json:"algorithmSigner" yaml:"algorithmSigner" vault:"algorithm_signer,omitempty"`
}
SSHRoleParameters define the params to submit
func (*SSHRoleParameters) DeepCopy ¶
func (in *SSHRoleParameters) DeepCopy() *SSHRoleParameters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSHRoleParameters.
func (*SSHRoleParameters) DeepCopyInto ¶
func (in *SSHRoleParameters) DeepCopyInto(out *SSHRoleParameters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SSHRoleSpec ¶
type SSHRoleSpec struct {
SignerPath string `json:"signerPath" yaml:"signerPath"`
RoleName string `json:"roleName" yaml:"roleName"`
VaultNamespace string `json:"vaultNamespace" yaml:"vaultNamespace"`
Parameters SSHRoleParameters `json:"parameters" yaml:"parameters"`
}
SSHRoleSpec defines the desired state of SSHRole
func (*SSHRoleSpec) DeepCopy ¶
func (in *SSHRoleSpec) DeepCopy() *SSHRoleSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSHRoleSpec.
func (*SSHRoleSpec) DeepCopyInto ¶
func (in *SSHRoleSpec) DeepCopyInto(out *SSHRoleSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SSHRoleStatus ¶
type SSHRoleStatus struct {
}
SSHRoleStatus defines the observed state of SSHRole
func (*SSHRoleStatus) DeepCopy ¶
func (in *SSHRoleStatus) DeepCopy() *SSHRoleStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSHRoleStatus.
func (*SSHRoleStatus) DeepCopyInto ¶
func (in *SSHRoleStatus) DeepCopyInto(out *SSHRoleStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SecretMeta ¶
type SecretMeta struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec SecretMetaSpec `json:"spec,omitempty"`
Status SecretMetaStatus `json:"status,omitempty"`
}
SecretMeta is the Schema for the secretmeta API
func (*SecretMeta) DeepCopy ¶
func (in *SecretMeta) DeepCopy() *SecretMeta
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretMeta.
func (*SecretMeta) DeepCopyInto ¶
func (in *SecretMeta) DeepCopyInto(out *SecretMeta)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecretMeta) DeepCopyObject ¶
func (in *SecretMeta) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type SecretMetaList ¶
type SecretMetaList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []SecretMeta `json:"items"`
}
SecretMetaList contains a list of SecretMeta
func (*SecretMetaList) DeepCopy ¶
func (in *SecretMetaList) DeepCopy() *SecretMetaList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretMetaList.
func (*SecretMetaList) DeepCopyInto ¶
func (in *SecretMetaList) DeepCopyInto(out *SecretMetaList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecretMetaList) DeepCopyObject ¶
func (in *SecretMetaList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type SecretMetaSpec ¶
type SecretMetaSpec struct {
// Deletable means that it is ok to remove any secrets and afterwards to remove the documentation. Inactive should be true for clarity.
Deletable bool `json:"deletable" yaml:"deletable"`
// DocURL location of external documentation
DocURL string `json:"docURL" yaml:"docURL"`
// Inactive means that secrets can be deleted from vault without breaking anything.
Inactive bool `json:"inactive" yaml:"inactive"`
// KVPath describes the kv path in vault minus the taxonomy
KVPath KVPath `json:"kvPath,omitempty" yaml:"kvPath,omitempty"`
// OwnerName is the Team owner name of this secret
OwnerName string `json:"ownerName" yaml:"ownerName"`
// Notes is a notes field
Notes string `json:"notes" yaml:"notes"`
// PKIACL is holds the role and path of the endpoint
PKIACL PKIACL `json:"pkiACL,omitempty" yaml:"pkiACL,omitempty"`
// Purpose is the reason the secret exists
// Purpose a text field for reports
Purpose string `json:"purpose" yaml:"purpose"`
// Type is a SecretTypeEnum
Type string `json:"type,omitempty" yaml:"type,omitempty"`
}
SecretMetaSpec defines the desired state of SecretMeta
func (*SecretMetaSpec) DeepCopy ¶
func (in *SecretMetaSpec) DeepCopy() *SecretMetaSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretMetaSpec.
func (*SecretMetaSpec) DeepCopyInto ¶
func (in *SecretMetaSpec) DeepCopyInto(out *SecretMetaSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SecretMetaStatus ¶
type SecretMetaStatus struct {
}
SecretMetaStatus defines the observed state of SecretMeta
func (*SecretMetaStatus) DeepCopy ¶
func (in *SecretMetaStatus) DeepCopy() *SecretMetaStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretMetaStatus.
func (*SecretMetaStatus) DeepCopyInto ¶
func (in *SecretMetaStatus) DeepCopyInto(out *SecretMetaStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SecretTypeEnum ¶
type SecretTypeEnum string
const ( SecretTypeNone SecretTypeEnum = "" SecretTypeKVV2 SecretTypeEnum = "kv-v2" SecretTypePKI SecretTypeEnum = "pki" )
type VaultAuth ¶
type VaultAuth struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec VaultAuthSpec `json:"spec,omitempty"`
Status VaultAuthStatus `json:"status,omitempty"`
}
VaultAuth is the Schema for the vaultauths API
func (*VaultAuth) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
func (*VaultAuth) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultAuth) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultAuthList ¶
type VaultAuthList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []VaultAuth `json:"items"`
}
VaultAuthList contains a list of VaultAuth
func (*VaultAuthList) DeepCopy ¶
func (in *VaultAuthList) DeepCopy() *VaultAuthList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuthList.
func (*VaultAuthList) DeepCopyInto ¶
func (in *VaultAuthList) DeepCopyInto(out *VaultAuthList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultAuthList) DeepCopyObject ¶
func (in *VaultAuthList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultAuthSpec ¶
type VaultAuthSpec struct {
Data AuthData `json:"data,omitempty" yaml:"data,omitempty"`
VaultNamespace string `json:"vaultNamespace,omitempty" yaml:"vaultNamespace,omitempty"`
Path string `json:"path,omitempty" yaml:"path,omitempty"`
JWTConfig JWTAuthConfig `json:"jwtConfig,omitempty" yaml:"jwtConfig,omitempty"`
}
VaultAuthSpec spec for auth '{"type":"approle","description":"","config":{"options":null,"default_lease_ttl":"0s","max_lease_ttl":"0s","force_no_cache":false},"local":false,"seal_wrap":false,"options":null}' http://127.0.0.1:8200/v1/sys/auth/foo
func (*VaultAuthSpec) DeepCopy ¶
func (in *VaultAuthSpec) DeepCopy() *VaultAuthSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuthSpec.
func (*VaultAuthSpec) DeepCopyInto ¶
func (in *VaultAuthSpec) DeepCopyInto(out *VaultAuthSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultAuthStatus ¶
type VaultAuthStatus struct {
}
VaultAuthStatus defines the observed state of VaultAuth
func (*VaultAuthStatus) DeepCopy ¶
func (in *VaultAuthStatus) DeepCopy() *VaultAuthStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuthStatus.
func (*VaultAuthStatus) DeepCopyInto ¶
func (in *VaultAuthStatus) DeepCopyInto(out *VaultAuthStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultEndpoint ¶
type VaultEndpoint struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec VaultEndpointSpec `json:"spec,omitempty"`
Status VaultEndpointStatus `json:"status,omitempty"`
}
VaultEndpoint is the Schema for the vaultendpoints API
func (*VaultEndpoint) DeepCopy ¶
func (in *VaultEndpoint) DeepCopy() *VaultEndpoint
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultEndpoint.
func (*VaultEndpoint) DeepCopyInto ¶
func (in *VaultEndpoint) DeepCopyInto(out *VaultEndpoint)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultEndpoint) DeepCopyObject ¶
func (in *VaultEndpoint) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultEndpointConfigCRL ¶
type VaultEndpointConfigCRL struct {
// Expiry (string: "72h") – Specifies the time until expiration.
Expiry string `json:"expiry" yaml:"expiry" vault:"expiry"`
// Disable (bool: false) – Disables or enables CRL building.
Disable string `json:"disable" yaml:"disable" vault:"disable"`
}
VaultEndpointConfigCRL Specifies the duration for which the generated CRL should be marked valid. If the CRL is disabled, it will return a signed but zero-length CRL for any request. If enabled, it will re-build the CRL. https://www.vaultproject.io/api/secret/pki#set-crl-configuration
func (*VaultEndpointConfigCRL) DeepCopy ¶
func (in *VaultEndpointConfigCRL) DeepCopy() *VaultEndpointConfigCRL
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultEndpointConfigCRL.
func (*VaultEndpointConfigCRL) DeepCopyInto ¶
func (in *VaultEndpointConfigCRL) DeepCopyInto(out *VaultEndpointConfigCRL)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultEndpointConfigURLs ¶
type VaultEndpointConfigURLs struct {
//IssuingCertificates (array<string>: nil) – Specifies the URL values for the Issuing Certificate field.
// This can be an array or a comma-separated string list.
// https://www.vaultproject.io/api/secret/pki#set-urls
IssuingCertificates []string `json:"issuingCertificates" yaml:"issuingCertificates" vault:"issuing_certificates"`
// CRLDistributionPoints (array<string>: nil) – Specifies the URL values for the CRL Distribution Points
// field. This can be an array or a comma-separated string list.
CRLDistributionPoints []string `json:"crlDistributionPoints" yaml:"crlDistributionPoints" vault:"crl_distribution_points"`
// OSCPServers (array<string>: nil) – Specifies the URL values for the OCSP Servers field. This can be an
// array or a comma-separated string list.
OSCPServers []string `json:"ocspServers" yaml:"ocspServers" vault:"ocsp_servers"`
}
VaultEndpointConfigURLs allows setting the issuing certificate endpoints, CRL distribution points, and OCSP server endpoints that will be encoded into issued certificates. https://www.vaultproject.io/api/secret/pki#set-urls
func (*VaultEndpointConfigURLs) DeepCopy ¶
func (in *VaultEndpointConfigURLs) DeepCopy() *VaultEndpointConfigURLs
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultEndpointConfigURLs.
func (*VaultEndpointConfigURLs) DeepCopyInto ¶
func (in *VaultEndpointConfigURLs) DeepCopyInto(out *VaultEndpointConfigURLs)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultEndpointList ¶
type VaultEndpointList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []VaultEndpoint `json:"items"`
}
VaultEndpointList contains a list of VaultEndpoint
func (*VaultEndpointList) DeepCopy ¶
func (in *VaultEndpointList) DeepCopy() *VaultEndpointList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultEndpointList.
func (*VaultEndpointList) DeepCopyInto ¶
func (in *VaultEndpointList) DeepCopyInto(out *VaultEndpointList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultEndpointList) DeepCopyObject ¶
func (in *VaultEndpointList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultEndpointSpec ¶
type VaultEndpointSpec struct {
VaultNamespace string `json:"vaultNamespace,omitempty" yaml:"vaultNamespace,omitempty"`
Path string `json:"path" yaml:"path"`
//AllowedRoles []string `json:"allowedRoles" yaml:"allowedRoles"`
MountOptions VaultMountOptions `json:"mountOptions,omitempty" yaml:"mountOptions,omitempty"`
TuneOptions VaultMountTuneOptions `json:"tuneOptions,omitempty" yaml:"tuneOptions,omitempty"`
PKIConfig PKIConfig `json:"pkiConfig,omitempty" yaml:"pkiConfig,omitempty"`
}
VaultEndpointSpec defines the desired state of VaultEndpoint
func (*VaultEndpointSpec) DeepCopy ¶
func (in *VaultEndpointSpec) DeepCopy() *VaultEndpointSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultEndpointSpec.
func (*VaultEndpointSpec) DeepCopyInto ¶
func (in *VaultEndpointSpec) DeepCopyInto(out *VaultEndpointSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultEndpointStatus ¶
type VaultEndpointStatus struct {
}
VaultEndpointStatus defines the observed state of VaultEndpoint
func (*VaultEndpointStatus) DeepCopy ¶
func (in *VaultEndpointStatus) DeepCopy() *VaultEndpointStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultEndpointStatus.
func (*VaultEndpointStatus) DeepCopyInto ¶
func (in *VaultEndpointStatus) DeepCopyInto(out *VaultEndpointStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultGenerateOptions ¶
type VaultGenerateOptions struct {
// DN `json:"dn,omitempty" yaml:"dn,omitempty" vault:"dn,omitempty"`
// start Distinguished Name ***
// CommonName (string: <required>) – Specifies the requested CN for the certificate. If the CN is allowed by
// role policy, it will be issued.
CommonName string `json:"commonName,omitempty" yaml:"commonName,omitempty" vault:"common_name,omitempty"`
// Country (string: "") – Specifies the C (Country) values in the subject field of issued certificates. This
// is a comma-separated string or JSON array.
Country []string `json:"country,omitempty" yaml:"country,omitempty" vault:"country,omitempty"`
// Locality (string: "") – Specifies the L (Locality) values in the subject field of issued certificates.
// This is a comma-separated string or JSON array.
Locality []string `json:"locality,omitempty" yaml:"locality,omitempty" vault:"locality,omitempty"`
// organization (string: "") – Specifies the O (Organization) values in the subject field of issued certificates.
// This is a comma-separated string or JSON array.
Organization []string `json:"organization,omitempty" yaml:"organization,omitempty" vault:"organization,omitempty"`
// OU (string: "") – Specifies the OU (OrganizationalUnit) values in the subject field of issued certificates.
// This is a comma-separated string or JSON array.
OU []string `json:"ou,omitempty" yaml:"ou,omitempty" vault:"ou,omitempty"`
// postalCode (string: "") – Specifies the Postal Code values in the subject field of issued certificates.
// This is a comma-separated string or JSON array.
PostalCode []string `json:"postalCode,omitempty" yaml:"postalCode,omitempty" vault:"postal_code,omitempty"`
// Province (string: "") – Specifies the ST (Province) values in the subject field of issued certificates.
// This is a comma-separated string or JSON array.
Province []string `json:"province,omitempty" yaml:"province,omitempty" vault:"province,omitempty"`
// SerialNumber (string: "") – Specifies the Serial Number, if any. Otherwise Vault will generate a random
// serial for you. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.
SerialNumber string `json:"serialNumber,omitempty" yaml:"serialNumber,omitempty" vault:"serial_number,omitempty"`
// StreetAddress (string: "") – Specifies the Street Address values in the subject field of issued
// certificates. This is a comma-separated string or JSON array.
StreetAddress []string `json:"streetAddress,omitempty" yaml:"streetAddress,omitempty" vault:"street_address,omitempty"`
// AddBasicConstraints (bool) Whether to add a Basic Constraints
// extension with CA: true. Only needed as a workaround in some compatibility
// scenarios with Active Directory Certificate Services.
AddBasicConstraints bool `json:"addBasicConstraints,omitempty" yaml:"addBasicConstraints,omitempty" vault:"add_basic_constraints,omitempty"`
// AltNames (string: "") – Specifies requested Subject Alternative Names, in a comma-delimited list. These can
// be host names or email addresses; they will be parsed into their respective fields. If any requested names
// do not match role policy, the entire request will be denied.
AltNames string `json:"altNames,omitempty" yaml:"altNames,omitempty" vault:"alt_names,omitempty"`
// ExcludeCNFromSANs (bool: false) – If true, the given common_name will not be included in DNS or Email Subject
// Alternate Names (as appropriate). Useful if the CN is not a hostname or email address, but is instead some
// human-readable identifier.
ExcludeCNFromSANs bool `json:"excludeCNFromSANs,omitempty" yaml:"excludeCNFromSANs,omitempty" vault:"exclude_cn_from_sans,omitempty"`
// Format (string: "pem") – Specifies the format for returned data. This can be pem, der, or pem_bundle; defaults
// to pem. If der, the output is base64 encoded. If pem_bundle, the csr field will contain the private key (if exported)
// and CSR, concatenated.
Format string `json:"format,omitempty" yaml:"format,omitempty" vault:"format,omitempty"`
// IPSans (string: "") – Specifies requested IP Subject Alternative Names, in a comma-delimited list. Only valid
// if the role allows IP SANs (which is the default).
IPSans string `json:"ipSans,omitempty" yaml:"ipSans,omitempty" vault:"ip_sans,omitempty"`
// KeyBits (int: 2048) – Specifies the number of bits to use. This must be changed to a valid value if the key_type
// is ec, e.g., 224 or 521.
KeyBits string `json:"keyBits,omitempty" yaml:"keyBits,omitempty" vault:"key_bits,omitempty"`
// KeyType (string: "rsa") – Specifies the desired key type; must be rsa or ec.
KeyType string `json:"keyType,omitempty" yaml:"keyType,omitempty" vault:"key_type,omitempty"`
// MaxTTL max_ttl (int64: 0) – Specifies the Time To Live value provided as seconds in int. If not set, uses the system default value or the value of max_ttl,
// whichever is shorter.
MaxTTL int64 `json:"maxTTL,omitempty" yaml:"maxTTL,omitempty" vault:"max_ttl,omitempty"`
// OtherSans (string: "") – Specifies custom OID/UTF8-string SANs. These must match values specified on the role
// in allowed_other_sans (see role creation for allowed_other_sans globbing rules). The format is the same as
// OpenSSL: <oid>;<type>:<value> where the only current valid type is UTF8. This can be a comma-delimited list or a
// JSON string slice.
OtherSans string `json:"otherSans,omitempty" yaml:"otherSans,omitempty" vault:"other_sans,omitempty"`
// PermittedDNSDomains (slice) Domains for which this certificate is allowed to sign or issue child certificates.
// If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains
// (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
PermittedDNSDomains []string `json:"permittedDNSDomains,omitempty" yaml:"permittedDNSDomains,omitempty" vault:"permitted_dns_domains,omitempty"`
// PrivateKeyFormat (string: "der") – Specifies the format for marshaling the private key. Defaults to der which will
// return either base64-encoded DER or PEM-encoded DER, depending on the value of format. The other option is pkcs8
// which will return the key marshalled as PEM-encoded PKCS8.
PrivateKeyFormat string `json:"privateKeyFormat,omitempty" yaml:"privateKeyFormat,omitempty" vault:"private_key_format,omitempty"`
// TTL ttl (int64: 0) – Specifies the Time To Live value provided as seconds in int. If not set, uses the system default value or the value of max_ttl,
// whichever is shorter.
TTL int64 `json:"ttl,omitempty" yaml:"ttl,omitempty" vault:"ttl,omitempty"`
// URISans (string: "") – Specifies the requested URI Subject Alternative Names, in a comma-delimited list.
URISans string `json:"uriSans,omitempty" yaml:"uriSans,omitempty" vault:"uri_sans,omitempty"`
}
VaultGenerateOptions parameters to use when isuing a cert https://www.vaultproject.io/api/secret/pki#generate-intermediate
func (*VaultGenerateOptions) DeepCopy ¶
func (in *VaultGenerateOptions) DeepCopy() *VaultGenerateOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultGenerateOptions.
func (*VaultGenerateOptions) DeepCopyInto ¶
func (in *VaultGenerateOptions) DeepCopyInto(out *VaultGenerateOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultMountOptions ¶
type VaultMountOptions struct {
// Type (string: <required>) – Specifies the type of the backend, such as "aws".
Type string `json:"type,omitempty" yaml:"type,omitempty" vault:"type,omitempty"`
// Description (string: "") – Specifies the human-friendly description of the mount.
Description string `json:"description,omitempty" yaml:"description,omitempty" vault:"description,omitempty"`
// Config (map<string|string>: nil) – Specifies configuration options for this mount; if set on a
// specific mount, values will override any global defaults (e.g. the system TTL/Max TTL)
// Local (bool: false) – Specifies if the secrets engine is a local mount only. Local mounts are not
// replicated nor (if a secondary) removed by replication.
Local bool `json:"local,omitempty" yaml:"local,omitempty" vault:"local,omitempty"`
// SealWrap (bool: false) - Enable seal wrapping for the mount, causing values stored by the mount to
// be wrapped by the seal's encryption capability.
SealWrap bool `json:"sealWrap,omitempty" yaml:"sealWrap,omitempty" vault:"seal_wrap,omitempty"`
// ExternalEntropyAccess (bool: false) - Enable the secrets engine to access Vault's external entropy source.
ExternalEntropyAccess bool `json:"externalEntropyAccess,omitempty" yaml:"externalEntropyAccess,omitempty" vault:"external_entropy_access,omitempty"`
}
VaultMountOptions the options for mounting secrets https://www.vaultproject.io/api-docs/system/mounts#enable-secrets-engine
func (*VaultMountOptions) DeepCopy ¶
func (in *VaultMountOptions) DeepCopy() *VaultMountOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultMountOptions.
func (*VaultMountOptions) DeepCopyInto ¶
func (in *VaultMountOptions) DeepCopyInto(out *VaultMountOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultMountTuneOptions ¶
type VaultMountTuneOptions struct {
// AllowedResponseHeaders (slice)
// A list of headers to whitelist and allow a plugin to set on responses.
AllowedResponseHeaders []string `json:"AllowedResponseHeaders" yaml:"AllowedResponseHeaders" vault:"allowed_response_headers"`
// AuditNonHMACRequestKeyss (string: "") - Comma-separated string or list of keys that will not be HMAC'd
// by audit devices in the request data object.
AuditNonHMACRequestKeys string `json:"auditNonHMACRequestKeys" yaml:"auditNonHMACRequestKeys" vault:"audit-non-hmac-request-keys"`
// AuditNonHMACResponseKeys (string: "") - Comma-separated string or list of keys that will not be HMAC'd
// by audit devices in the response data object.
AuditNonHMACResponseKeys string `json:"auditNonHMACResponseKeys" yaml:"auditNonHMACResponseKeys" vault:"audit-non-hmac-response-keys"`
// DefaultLeaseTTL (duration: "") - The default lease TTL for this secrets engine. If unspecified, this
// defaults to the Vault server's globally configured default lease TTL, or a previously configured value for
// the secrets engine.
DefaultLeaseTTL int64 `json:"defaultLeaseTTL,omitempty" yaml:"defaultLeaseTTL,omitempty" vault:"default_lease_ttl,omitempty"`
// Description (string)
// User-friendly description for this credential backend.
Description string `json:"description,omitempty" yaml:"description,omitempty" vault:"description,omitempty"`
// ForceNoCache
ForceNoCache bool `json:"forceNoCache,omitempty" yaml:"forceNoCache,omitempty" vault:"force_no_cache,omitempty"`
// ListingVisibility (string)
// Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ”.
ListingVisibility string `json:"listingVisibility,omitempty" yaml:"listingVisibility,omitempty" vault:"listingVisibility,omitempty"`
// MaxLeaseTTL (duration: "") - The maximum lease TTL for this secrets engine. If unspecified, this defaults
// to the Vault server's globally configured maximum lease TTL, or a previously configured value for the secrets engine.
MaxLeaseTTL int64 `json:"maxLeaseTTL,omitempty" yaml:"maxLeaseTTL,omitempty" vault:"max_lease_ttl,omitempty"`
}
VaultMountTuneOptions Tune the default lease for the PKI secrets engine: https://www.vaultproject.io/api-docs/system/mounts#tune-mount-configuration
func (*VaultMountTuneOptions) DeepCopy ¶
func (in *VaultMountTuneOptions) DeepCopy() *VaultMountTuneOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultMountTuneOptions.
func (*VaultMountTuneOptions) DeepCopyInto ¶
func (in *VaultMountTuneOptions) DeepCopyInto(out *VaultMountTuneOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultNamespace ¶
type VaultNamespace struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec VaultNamespaceSpec `json:"spec,omitempty"`
Status VaultNamespaceStatus `json:"status,omitempty"`
}
VaultNamespace is the Schema for the vaultnamespaces API
func (*VaultNamespace) DeepCopy ¶
func (in *VaultNamespace) DeepCopy() *VaultNamespace
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultNamespace.
func (*VaultNamespace) DeepCopyInto ¶
func (in *VaultNamespace) DeepCopyInto(out *VaultNamespace)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultNamespace) DeepCopyObject ¶
func (in *VaultNamespace) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultNamespaceList ¶
type VaultNamespaceList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []VaultNamespace `json:"items"`
}
VaultNamespaceList contains a list of VaultNamespace
func (*VaultNamespaceList) DeepCopy ¶
func (in *VaultNamespaceList) DeepCopy() *VaultNamespaceList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultNamespaceList.
func (*VaultNamespaceList) DeepCopyInto ¶
func (in *VaultNamespaceList) DeepCopyInto(out *VaultNamespaceList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultNamespaceList) DeepCopyObject ¶
func (in *VaultNamespaceList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultNamespaceSpec ¶
type VaultNamespaceSpec struct {
// NamespaceBase specifies the base path of the namespace. Use "root" for root or no namespace.
NamespaceBase string `json:"namespaceBase,omitempty" yaml:"namespaceBase,omitempty"`
NamespaceName string `json:"namespaceName,omitempty" yaml:"namespaceName,omitempty"`
}
VaultNamespaceSpec defines the desired state of VaultNamespace
func (*VaultNamespaceSpec) DeepCopy ¶
func (in *VaultNamespaceSpec) DeepCopy() *VaultNamespaceSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultNamespaceSpec.
func (*VaultNamespaceSpec) DeepCopyInto ¶
func (in *VaultNamespaceSpec) DeepCopyInto(out *VaultNamespaceSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultNamespaceStatus ¶
type VaultNamespaceStatus struct {
}
VaultNamespaceStatus defines the observed state of VaultNamespace
func (*VaultNamespaceStatus) DeepCopy ¶
func (in *VaultNamespaceStatus) DeepCopy() *VaultNamespaceStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultNamespaceStatus.
func (*VaultNamespaceStatus) DeepCopyInto ¶
func (in *VaultNamespaceStatus) DeepCopyInto(out *VaultNamespaceStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultPolicy ¶
type VaultPolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec VaultPolicySpec `json:"spec,omitempty"`
Status VaultPolicyStatus `json:"status,omitempty"`
}
VaultPolicy is the Schema for the vaultpolicies API
func (*VaultPolicy) DeepCopy ¶
func (in *VaultPolicy) DeepCopy() *VaultPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultPolicy.
func (*VaultPolicy) DeepCopyInto ¶
func (in *VaultPolicy) DeepCopyInto(out *VaultPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultPolicy) DeepCopyObject ¶
func (in *VaultPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultPolicyList ¶
type VaultPolicyList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []VaultPolicy `json:"items"`
}
VaultPolicyList contains a list of VaultPolicy
func (*VaultPolicyList) DeepCopy ¶
func (in *VaultPolicyList) DeepCopy() *VaultPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultPolicyList.
func (*VaultPolicyList) DeepCopyInto ¶
func (in *VaultPolicyList) DeepCopyInto(out *VaultPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultPolicyList) DeepCopyObject ¶
func (in *VaultPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultPolicySpec ¶
type VaultPolicySpec struct {
VaultNamespace string `json:"vaultNamespace,omitempty" yaml:"vaultNamespace,omitempty"`
PolicyName string `json:"policyName,omitempty" yaml:"policyName,omitempty"`
Policies HCLPolicies `json:"policies" yaml:"policies"`
}
VaultPolicySpec defines a vault policy
func (*VaultPolicySpec) DeepCopy ¶
func (in *VaultPolicySpec) DeepCopy() *VaultPolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultPolicySpec.
func (*VaultPolicySpec) DeepCopyInto ¶
func (in *VaultPolicySpec) DeepCopyInto(out *VaultPolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultPolicyStatus ¶
type VaultPolicyStatus struct {
}
VaultPolicyStatus defines the observed state of VaultPolicy
func (*VaultPolicyStatus) DeepCopy ¶
func (in *VaultPolicyStatus) DeepCopy() *VaultPolicyStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultPolicyStatus.
func (*VaultPolicyStatus) DeepCopyInto ¶
func (in *VaultPolicyStatus) DeepCopyInto(out *VaultPolicyStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultRole ¶
type VaultRole struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec VaultRoleSpec `json:"spec,omitempty"`
Status VaultRoleStatus `json:"status,omitempty"`
}
VaultRole is the Schema for the vaultroles API
func (*VaultRole) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultRole.
func (*VaultRole) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultRole) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultRoleData ¶
type VaultRoleData struct {
// k8s only audience (string: "") - Optional Audience claim to verify in the JWT.
Audience string `json:"audience,omitempty" yaml:"audience,omitempty" vault:"audience"`
// k8s only bound_service_account_names (array: <required>) - List of service account names able to access this role. If set to "*" all names are allowed, both this and bound_service_account_namespaces can not be "*".
BoundServiceAccountNames []string `json:"boundServiceAccountNames,omitempty" yaml:"boundServiceAccountNames,omitempty" vault:"bound_service_account_names"`
// k8s only bound_service_account_namespaces (array: <required>) - List of namespaces allowed to access this role. If set to "*" all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
BoundServiceAccountNamespaces []string `` /* 134-byte string literal not displayed */
// bindSecretID: true
BindSecretID bool `json:"bindSecretID,omitempty" yaml:"bindSecretID,omitempty" vault:"bind_secret_id,omitempty"`
// localSecretIDs: false
LocalSecretIDs bool `json:"localSecretIDs,omitempty" yaml:"localSecretIDs,omitempty" vault:"local_secret_ids,omitempty"`
// policies:
// - ddt-deploy
// - kube-deploy
// - auth-k8s-config
Policies []string `json:"policies,omitempty" yaml:"policies,omitempty" vault:"policies,omitempty"`
// secretIDBoundCIDRs: null
SecretIDBoundCIDRs []string `json:"secretIDBoundCIDRs,omitempty" yaml:"secretIDBoundCIDRs,omitempty" vault:"secret_id_bound_cidrs,omitempty"`
// secretIDNumUses: 0
SecretIDNumUses int `json:"secretIDNumUses,omitempty" yaml:"secretIDNumUses,omitempty" vault:"secret_id_num_uses,omitempty"`
// secretIDTTL: 0
SecretIDTTL int `json:"secretIDTTL,omitempty" yaml:"secretIDTTL,omitempty" vault:"secret_id_ttl,omitempty"`
// tokenBoundCIDRs: []
TokenBoundCIDRs []string `json:"tokenBoundCIDRs,omitempty" yaml:"tokenBoundCIDRs,omitempty" vault:"token_bound_cidrs,omitempty"`
// tokenExplicitMaxTTL: 0
TokenExplicitMaxTTL int `json:"tokenExplicitMaxTTL,omitempty" yaml:"tokenExplicitMaxTTL,omitempty" vault:"token_explicit_max_ttl,omitempty"`
// tokenMaxTTL: 1800
TokenMaxTTL int64 `json:"tokenMaxTTL,omitempty" yaml:"tokenMaxTTL,omitempty" vault:"token_max_ttl,omitempty"`
// tokenNoDefaultPolicy: false
TokenNoDefaultPolicy bool `json:"tokenNoDefaultPolicy,omitempty" yaml:"tokenNoDefaultPolicy,omitempty" vault:"token_no_default_policy,omitempty"`
// tokenNumUses: 0
TokenNumUses int `json:"tokenNumUses,omitempty" yaml:"tokenNumUses,omitempty" vault:"token_num_uses,omitempty"`
// tokenPeriod: 0
TokenPeriod int `json:"tokenPeriod,omitempty" yaml:"tokenPeriod,omitempty" vault:"token_period,omitempty"`
// tokenPolicies:
// - ddt-deploy
// - kube-deploy
// - auth-k8s-config
TokenPolicies []string `json:"tokenPolicies,omitempty" yaml:"tokenPolicies,omitempty" vault:"token_policies,omitempty"`
// tokenTTL: 1800
TokenTTL int64 `json:"tokenTTL,omitempty" yaml:"tokenTTL,omitempty" vault:"token_ttl,omitempty"`
// tokenType: default
TokenType string `json:"tokenType,omitempty" yaml:"tokenType,omitempty" vault:"token_type,omitempty"`
}
VaultRoleData will be used as data in the vault api POST request
func (*VaultRoleData) DeepCopy ¶
func (in *VaultRoleData) DeepCopy() *VaultRoleData
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultRoleData.
func (*VaultRoleData) DeepCopyInto ¶
func (in *VaultRoleData) DeepCopyInto(out *VaultRoleData)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultRoleList ¶
type VaultRoleList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []VaultRole `json:"items"`
}
VaultRoleList contains a list of VaultRole
func (*VaultRoleList) DeepCopy ¶
func (in *VaultRoleList) DeepCopy() *VaultRoleList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultRoleList.
func (*VaultRoleList) DeepCopyInto ¶
func (in *VaultRoleList) DeepCopyInto(out *VaultRoleList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultRoleList) DeepCopyObject ¶
func (in *VaultRoleList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultRoleSpec ¶
type VaultRoleSpec struct {
// Foo is an example field of VaultRole. Edit VaultRole_types.go to remove/update
AuthMethod string `json:"authMethod,omitempty" yaml:"authMethod,omitempty"`
RoleName string `json:"roleName,omitempty" yaml:"roleName,omitempty"`
VaultNamespace string `json:"vaultNamespace,omitempty" yaml:"vaultNamespace,omitempty"`
Data VaultRoleData `json:"data,omitempty" yaml:"data,omitempty"`
}
VaultRoleSpec defines the desired state of VaultRole
func (*VaultRoleSpec) DeepCopy ¶
func (in *VaultRoleSpec) DeepCopy() *VaultRoleSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultRoleSpec.
func (*VaultRoleSpec) DeepCopyInto ¶
func (in *VaultRoleSpec) DeepCopyInto(out *VaultRoleSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultRoleStatus ¶
type VaultRoleStatus struct {
}
VaultRoleStatus defines the observed state of VaultRole
func (*VaultRoleStatus) DeepCopy ¶
func (in *VaultRoleStatus) DeepCopy() *VaultRoleStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultRoleStatus.
func (*VaultRoleStatus) DeepCopyInto ¶
func (in *VaultRoleStatus) DeepCopyInto(out *VaultRoleStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files