Documentation ¶
Overview ¶
+k8s:deepcopy-gen=package,register +k8s:openapi-gen=true +k8s:defaulter-gen=TypeMeta +groupName=kubevault.com
Index ¶
- Constants
- Variables
- func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition
- func Kind(kind string) schema.GroupKind
- func Resource(resource string) schema.GroupResource
- type AllowedSecretEngines
- type AuthMethod
- type AuthMethodEnableDisableStatus
- type AuthMethodStatus
- type AuthMethodType
- type AwsKmsSsmSpec
- type AzureKeyVault
- type AzureSpec
- type BackendStorageSpec
- type ConsulSpec
- type DynamoDBSpec
- type EtcdSpec
- type FileSpec
- type FromNamespaces
- type GcsSpec
- type GoogleKmsGcsSpec
- type InmemSpec
- type JWTOIDCConfig
- type KubernetesConfig
- type KubernetesSecretSpec
- type ModeSpec
- type MySQLSpec
- type NamedServiceTemplateSpec
- type PostgreSQLSpec
- type PostgresSSLMode
- type RaftSpec
- type S3Spec
- type SecretEngineNamespaces
- type SecretEngineType
- type ServiceAlias
- type SwiftSpec
- type TLSPolicy
- type TerminationPolicy
- type UnsealerSpec
- type VaultCertificateAlias
- type VaultServer
- func (v VaultServer) AppBindingName() string
- func (vs *VaultServer) BackupSecretName() string
- func (v *VaultServer) CertificateMountPath(alias VaultCertificateAlias) string
- func (v VaultServer) ConfigSecretName() string
- func (_ VaultServer) CustomResourceDefinition() *apiextensions.CustomResourceDefinition
- func (in *VaultServer) DeepCopy() *VaultServer
- func (in *VaultServer) DeepCopyInto(out *VaultServer)
- func (in *VaultServer) DeepCopyObject() runtime.Object
- func (vs *VaultServer) DefaultCertSecretName(alias string) string
- func (vs *VaultServer) GetCertSecretName(alias string) string
- func (vs *VaultServer) GetCertificateCN(alias VaultCertificateAlias) string
- func (v VaultServer) GetKey() string
- func (vs *VaultServer) GetServiceTemplate(alias ServiceAlias) ofst.ServiceTemplateSpec
- func (*VaultServer) Hub()
- func (v VaultServer) IsValid() error
- func (vs *VaultServer) KeyPrefix() string
- func (v VaultServer) OffshootLabels() map[string]string
- func (v VaultServer) OffshootName() string
- func (v VaultServer) OffshootSelectors() map[string]string
- func (v VaultServer) PolicyNameForAuthMethod(typ AuthMethodType, path string) string
- func (v VaultServer) PolicyNameForAuthMethodController() string
- func (v VaultServer) PolicyNameForPolicyController() string
- func (v *VaultServer) ReplicasAreReady(lister appslister.StatefulSetLister) (bool, string, error)
- func (_ VaultServer) ResourceFQN() string
- func (vs *VaultServer) RootTokenID() string
- func (vs *VaultServer) Scheme() string
- func (v VaultServer) ServiceAccountForTokenReviewer() string
- func (v VaultServer) ServiceAccountName() string
- func (v VaultServer) ServiceName(alias ServiceAlias) string
- func (vs *VaultServer) SetHealthCheckerDefaults()
- func (v VaultServer) StatsLabels() map[string]string
- func (v VaultServer) StatsService() mona.StatsAccessor
- func (v VaultServer) StatsServiceName() string
- func (v VaultServer) TLSSecretName() string
- func (vs *VaultServer) UnsealKeyID(id int) string
- type VaultServerBackend
- type VaultServerList
- type VaultServerPhase
- type VaultServerSpec
- type VaultServerStatus
- type VaultStatus
Constants ¶
const ( VaultContainerName = "vault" VaultUnsealerContainerName = "vault-unsealer" VaultInitContainerName = "vault-config" VaultExporterContainerName = "vault-exporter" )
const ( VaultServerAnnotationName = "vaultservers.kubevault.com/name" VaultServerAnnotationNamespace = "vaultservers.kubevault.com/namespace" )
const ( ResourceKindVaultServer = "VaultServer" ResourceVaultServer = "vaultserver" ResourceVaultServers = "vaultservers" )
Variables ¶
var ( // TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api. // localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes. SchemeBuilder runtime.SchemeBuilder AddToScheme = localSchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: kubevault.GroupName, Version: "v1alpha2"}
Functions ¶
func GetOpenAPIDefinitions ¶
func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type AllowedSecretEngines ¶
type AllowedSecretEngines struct { // Namespaces indicates namespaces from which Secret Engines may be attached to this // Listener. This is restricted to the namespace of this VaultServer by default. // // +optional // +kubebuilder:default={from: Same} Namespaces *SecretEngineNamespaces `json:"namespaces,omitempty"` // SecretEngines specifies the types of Secret Engines that are allowed to bind // to this VaultServer. When unspecified or empty, all types of Secret Engines // are allowed. // // +optional SecretEngines []SecretEngineType `json:"secretEngines,omitempty"` }
AllowedSecretEngines defines which Secret Engines may be attached to this Listener.
func (*AllowedSecretEngines) DeepCopy ¶
func (in *AllowedSecretEngines) DeepCopy() *AllowedSecretEngines
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedSecretEngines.
func (*AllowedSecretEngines) DeepCopyInto ¶
func (in *AllowedSecretEngines) DeepCopyInto(out *AllowedSecretEngines)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthMethod ¶
type AuthMethod struct { // Specifies the name of the authentication method type, such as "github" or "token". Type AuthMethodType `json:"type"` // Specifies the path in which to enable the auth method. // Default value is the same as the 'type' Path string `json:"path"` // Specifies a human-friendly description of the auth method. // +optional Description string `json:"description,omitempty"` // Kubernetes auth config KubernetesConfig *KubernetesConfig `json:"kubernetesConfig,omitempty"` // OIDC auth config OIDCConfig *JWTOIDCConfig `json:"oidcConfig,omitempty"` // JWT auth config JWTConfig *JWTOIDCConfig `json:"jwtConfig,omitempty"` // Specifies the name of the auth plugin to use based from the name in the plugin catalog. // Applies only to plugin methods. // +optional PluginName string `json:"pluginName,omitempty"` // Specifies if the auth method is a local only. Local auth methods are not replicated nor (if a secondary) removed by replication. // +optional Local bool `json:"local,omitempty"` }
AuthMethod contains the information to enable vault auth method links: https://www.vaultproject.io/api/system/auth.html
func (*AuthMethod) DeepCopy ¶
func (in *AuthMethod) DeepCopy() *AuthMethod
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthMethod.
func (*AuthMethod) DeepCopyInto ¶
func (in *AuthMethod) DeepCopyInto(out *AuthMethod)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthMethodEnableDisableStatus ¶
type AuthMethodEnableDisableStatus string
+kubebuilder:validation:Enum=EnableSucceeded;EnableFailed;DisableSucceeded;DisableFailed
const ( AuthMethodEnableSucceeded AuthMethodEnableDisableStatus = "EnableSucceeded" AuthMethodEnableFailed AuthMethodEnableDisableStatus = "EnableFailed" AuthMethodDisableSucceeded AuthMethodEnableDisableStatus = "DisableSucceeded" AuthMethodDisableFailed AuthMethodEnableDisableStatus = "DisableFailed" )
type AuthMethodStatus ¶
type AuthMethodStatus struct { // Specifies the name of the authentication method type, such as "github" or "token". Type AuthMethodType `json:"type"` // Specifies the path in which to enable the auth method. Path string `json:"path"` // Specifies whether auth method is enabled or not Status AuthMethodEnableDisableStatus `json:"status"` // Specifies the reason why failed to enable auth method // +optional Reason string `json:"reason,omitempty"` }
AuthMethodStatus specifies the status of the auth method maintained by the auth method controller
func (*AuthMethodStatus) DeepCopy ¶
func (in *AuthMethodStatus) DeepCopy() *AuthMethodStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthMethodStatus.
func (*AuthMethodStatus) DeepCopyInto ¶
func (in *AuthMethodStatus) DeepCopyInto(out *AuthMethodStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthMethodType ¶
type AuthMethodType string
+kubebuilder:validation:Enum=kubernetes;aws;gcp;userpass;cert;azure;jwt;oidc
const ( AuthTypeKubernetes AuthMethodType = "kubernetes" AuthTypeAws AuthMethodType = "aws" AuthTypeGcp AuthMethodType = "gcp" AuthTypeUserPass AuthMethodType = "userpass" AuthTypeCert AuthMethodType = "cert" AuthTypeAzure AuthMethodType = "azure" AuthTypeJWT AuthMethodType = "jwt" AuthTypeOIDC AuthMethodType = "oidc" )
type AwsKmsSsmSpec ¶
type AwsKmsSsmSpec struct { // The ID or ARN of the AWS KMS key to encrypt values KmsKeyID string `json:"kmsKeyID"` // +optional // An optional Key prefix for SSM Parameter store SsmKeyPrefix string `json:"ssmKeyPrefix,omitempty"` Region string `json:"region,omitempty"` // Specifies the secret name containing AWS access key and AWS secret key // secret data: // - access_key:<value> // - secret_key:<value> // +optional CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` // Used to make AWS KMS requests. This is useful, // for example, when connecting to KMS over a VPC Endpoint. // If not set, Vault will use the default API endpoint for your region. Endpoint string `json:"endpoint,omitempty"` }
AwsKmsSsmSpec contain the fields that required to unseal vault using aws kms ssm
func (*AwsKmsSsmSpec) DeepCopy ¶
func (in *AwsKmsSsmSpec) DeepCopy() *AwsKmsSsmSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsKmsSsmSpec.
func (*AwsKmsSsmSpec) DeepCopyInto ¶
func (in *AwsKmsSsmSpec) DeepCopyInto(out *AwsKmsSsmSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AzureKeyVault ¶
type AzureKeyVault struct { // Azure key vault url, for example https://myvault.vault.azure.net VaultBaseURL string `json:"vaultBaseURL"` // The cloud environment identifier // default: "AZUREPUBLICCLOUD" // +optional Cloud string `json:"cloud,omitempty"` // The AAD Tenant ID TenantID string `json:"tenantID"` // Specifies the name of secret containing client cert and client cert password // secret data: // - client-cert:<value> // - client-cert-password: <value> // +optional TLSSecretRef *core.LocalObjectReference `json:"tlsSecretRef,omitempty"` // Specifies the name of secret containing client id and client secret of AAD application // secret data: // - client-id:<value> // - client-secret:<value> // +optional CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` // Use managed service identity for the virtual machine // +optional UseManagedIdentity bool `json:"useManagedIdentity,omitempty"` }
AzureKeyVault contain the fields that required to unseal vault using azure key vault
func (*AzureKeyVault) DeepCopy ¶
func (in *AzureKeyVault) DeepCopy() *AzureKeyVault
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKeyVault.
func (*AzureKeyVault) DeepCopyInto ¶
func (in *AzureKeyVault) DeepCopyInto(out *AzureKeyVault)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AzureSpec ¶
type AzureSpec struct { // Specifies the Azure Storage account name. AccountName string `json:"accountName"` // Specifies the secret containing Azure Storage account key. // secret data: // - account_key:<value> // +optional CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` // Specifies the Azure Storage Blob container name. Container string `json:"container"` // Specifies the maximum number of concurrent operations to take place. // +optional MaxParallel int64 `json:"maxParallel,omitempty"` }
vault doc: https://www.vaultproject.io/docs/configuration/storage/azure.html
AzureSpec defines configuration to set up Google Cloud Storage as backend storage in vault
func (*AzureSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureSpec.
func (*AzureSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type BackendStorageSpec ¶
type BackendStorageSpec struct { // ref: https://www.vaultproject.io/docs/configuration/storage/in-memory.html // +optional Inmem *InmemSpec `json:"inmem,omitempty"` // +optional Etcd *EtcdSpec `json:"etcd,omitempty"` // +optional Gcs *GcsSpec `json:"gcs,omitempty"` // +optional S3 *S3Spec `json:"s3,omitempty"` // +optional Azure *AzureSpec `json:"azure,omitempty"` // +optional PostgreSQL *PostgreSQLSpec `json:"postgresql,omitempty"` // +optional MySQL *MySQLSpec `json:"mysql,omitempty"` // +optional File *FileSpec `json:"file,omitempty"` // +optional DynamoDB *DynamoDBSpec `json:"dynamodb,omitempty"` // +optional Swift *SwiftSpec `json:"swift,omitempty"` // +optional Consul *ConsulSpec `json:"consul,omitempty"` // +optional Raft *RaftSpec `json:"raft,omitempty"` }
TODO : set defaults and validation BackendStorageSpec defines storage backend configuration of vault
func (*BackendStorageSpec) DeepCopy ¶
func (in *BackendStorageSpec) DeepCopy() *BackendStorageSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendStorageSpec.
func (*BackendStorageSpec) DeepCopyInto ¶
func (in *BackendStorageSpec) DeepCopyInto(out *BackendStorageSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*BackendStorageSpec) GetBackendType ¶
func (vsb *BackendStorageSpec) GetBackendType() (VaultServerBackend, error)
type ConsulSpec ¶
type ConsulSpec struct { // Specifies the address of the Consul agent to communicate with. // This can be an IP address, DNS record, or unix socket. // +optional Address string `json:"address,omitempty"` // Specifies the check interval used to send health check information // back to Consul. // This is specified using a label suffix like "30s" or "1h". // +optional CheckTimeout string `json:"checkTimeout,omitempty"` // Specifies the Consul consistency mode. // Possible values are "default" or "strong". // +optional ConsistencyMode string `json:"consistencyMode,omitempty"` // Specifies whether Vault should register itself with Consul. // Possible values are "true" or "false" // +optional DisableRegistration string `json:"disableRegistration,omitempty"` // Specifies the maximum number of concurrent requests to Consul. // +optional MaxParallel string `json:"maxParallel,omitempty"` // Specifies the path in Consul's key-value store // where Vault data will be stored. // +optional Path string `json:"path,omitempty"` // Specifies the scheme to use when communicating with Consul. // This can be set to "http" or "https". // +optional Scheme string `json:"scheme,omitempty"` // Specifies the name of the service to register in Consul. // +optional Service string `json:"service,omitempty"` // Specifies a comma-separated list of tags // to attach to the service registration in Consul. // +optional ServiceTags string `json:"serviceTags,omitempty"` // Specifies a service-specific address to set on the service registration // in Consul. // If unset, Vault will use what it knows to be the HA redirect address // - which is usually desirable. // Setting this parameter to "" will tell Consul to leverage the configuration // of the node the service is registered on dynamically. // +optional ServiceAddress string `json:"serviceAddress,omitempty"` // Specifies the secret name that contains ACL token with permission // to read and write from the path in Consul's key-value store. // secret data: // - aclToken:<value> // +optional ACLTokenSecretRef *core.LocalObjectReference `json:"aclTokenSecretRef,omitempty"` // Specifies the minimum allowed session TTL. // Consul server has a lower limit of 10s on the session TTL by default. // +optional SessionTTL string `json:"sessionTTL,omitempty"` // Specifies the wait time before a lock lock acquisition is made. // This affects the minimum time it takes to cancel a lock acquisition. // +optional LockWaitTime string `json:"lockWaitTime,omitempty"` // Specifies the secret name that contains tls_ca_file, tls_cert_file and tls_key_file // for consul communication // Secret data: // - ca.crt // - tls.crt // - tls.key // +optional TLSSecretRef *core.LocalObjectReference `json:"tlsSecretRef,omitempty"` // Specifies the minimum TLS version to use. // Accepted values are "tls10", "tls11" or "tls12". // +optional TLSMinVersion string `json:"tlsMinVersion,omitempty"` // Specifies if the TLS host verification should be disabled. // It is highly discouraged that you disable this option. // +optional TLSSkipVerify bool `json:"tlsSkipVerify,omitempty"` }
ref: https://www.vaultproject.io/docs/configuration/storage/consul.html
ConsulSpec defines the configuration to set up consul as backend storage in vault
func (*ConsulSpec) DeepCopy ¶
func (in *ConsulSpec) DeepCopy() *ConsulSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConsulSpec.
func (*ConsulSpec) DeepCopyInto ¶
func (in *ConsulSpec) DeepCopyInto(out *ConsulSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type DynamoDBSpec ¶
type DynamoDBSpec struct { // Specifies an alternative, AWS compatible, DynamoDB endpoint. // +optional Endpoint string `json:"endpoint,omitempty"` // Specifies the AWS region // +optional Region string `json:"region,omitempty"` // Specifies whether this backend should be used to run Vault in high availability mode. // +optional HaEnabled bool `json:"haEnabled,omitempty"` // Specifies the maximum number of reads consumed per second on the table // +optional ReadCapacity int64 `json:"readCapacity,omitempty"` // Specifies the maximum number of writes performed per second on the table. // +optional WriteCapacity int64 `json:"writeCapacity,omitempty"` // Specifies the name of the DynamoDB table in which to store Vault data. // If the specified table does not yet exist, it will be created during initialization. // default: vault-dynamodb-backend // +optional Table string `json:"table,omitempty"` // Specifies the secret name containing AWS session token, AWS access key and AWS secret key // secret data: // - access_key=<value> // - secret_key=<value> // - session_token=<value> // +optional CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` // Specifies the maximum number of parallel operations to take place. // +optional MaxParallel int64 `json:"maxParallel,omitempty"` }
vault doc: https://www.vaultproject.io/docs/configuration/storage/dynamodb.html
DynamoDBSpec defines configuration to set up DynamoDB Storage as backend storage in vault
func (*DynamoDBSpec) DeepCopy ¶
func (in *DynamoDBSpec) DeepCopy() *DynamoDBSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamoDBSpec.
func (*DynamoDBSpec) DeepCopyInto ¶
func (in *DynamoDBSpec) DeepCopyInto(out *DynamoDBSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EtcdSpec ¶
type EtcdSpec struct { // Specifies the addresses of the etcd instances Address string `json:"address"` // Specifies the version of the API to communicate with etcd // +optional EtcdApi string `json:"etcdApi,omitempty"` // Specifies if high availability should be enabled // +optional HAEnable bool `json:"haEnable,omitempty"` // Specifies the path in etcd where vault data will be stored // +optional Path string `json:"path,omitempty"` // Specifies whether to sync list of available etcd services on startup // +optional Sync bool `json:"sync,omitempty"` // Specifies the domain name to query for SRV records describing cluster endpoints // +optional DiscoverySrv string `json:"discoverySrv,omitempty"` // Specifies the secret name that contain username and password to use when authenticating with the etcd server // secret data: // - username:<value> // - password:<value> // +optional CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` // Specifies the secret name that contains tls_ca_file, tls_cert_file and tls_key_file for etcd communication // secret data: // - ca.crt // - tls.crt // - tls.key // +optional TLSSecretRef *core.LocalObjectReference `json:"tlsSecretRef,omitempty"` }
TODO : set defaults and validation vault doc: https://www.vaultproject.io/docs/configuration/storage/etcd.html
EtcdSpec defines configuration to set up etcd as backend storage in vault
func (*EtcdSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EtcdSpec.
func (*EtcdSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FileSpec ¶
type FileSpec struct { // The absolute path on disk to the directory where the data will be stored. // If the directory does not exist, Vault will create it. Path string `json:"path"` // volumeClaimTemplate is a claim that pods are allowed to reference. // The VaultServer controller is responsible for deploying the claim // and update the volumeMounts in the Vault server container in the template. VolumeClaimTemplate ofst.PersistentVolumeClaim `json:"volumeClaimTemplate"` }
vault doc: https://www.vaultproject.io/docs/configuration/storage/filesystem.html
FileSpec defines configuration to set up File system Storage as backend storage in vault
func (*FileSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FileSpec.
func (*FileSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FromNamespaces ¶
type FromNamespaces string
FromNamespaces specifies namespace from which Secret Engines may be attached to a VaultServer.
+kubebuilder:validation:Enum=All;Selector;Same
const ( // Secret Engines in all namespaces may be attached to this VaultServer. NamespacesFromAll FromNamespaces = "All" // Only Secret Engines in namespaces selected by the selector may be attached to // this VaultServer. NamespacesFromSelector FromNamespaces = "Selector" // Only Secret Engines in the same namespace as the VaultServer may be attached to this // VaultServer. NamespacesFromSame FromNamespaces = "Same" )
type GcsSpec ¶
type GcsSpec struct { // Specifies the name of the bucket to use for storage. Bucket string `json:"bucket"` // Specifies the maximum size (in kilobytes) to send in a single request. If set to 0, // it will attempt to send the whole object at once, but will not retry any failures. // +optional ChunkSize string `json:"chunkSize,omitempty"` // Specifies the maximum number of parallel operations to take place. // +optional MaxParallel int64 `json:"maxParallel,omitempty"` // Specifies if high availability mode is enabled. // +optional HAEnabled bool `json:"haEnabled,omitempty"` // Secret containing Google application credential // secret data: // - sa.json:<value> // +optional CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` }
vault doc: https://www.vaultproject.io/docs/configuration/storage/google-cloud-storage.html
GcsSpec defines configuration to set up Google Cloud Storage as backend storage in vault
func (*GcsSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcsSpec.
func (*GcsSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GoogleKmsGcsSpec ¶
type GoogleKmsGcsSpec struct { // The name of the Google Cloud KMS crypto key to use KmsCryptoKey string `json:"kmsCryptoKey"` // The name of the Google Cloud KMS key ring to use KmsKeyRing string `json:"kmsKeyRing"` // The Google Cloud KMS location to use (eg. 'global', 'europe-west1') KmsLocation string `json:"kmsLocation"` // The Google Cloud KMS project to use KmsProject string `json:"kmsProject"` // The name of the Google Cloud Storage bucket to store values in Bucket string `json:"bucket"` // Secret containing Google application credential // secret data: // - sa.json:<value> // +optional CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` }
GoogleKmsGcsSpec contain the fields that required to unseal vault using google kms
func (*GoogleKmsGcsSpec) DeepCopy ¶
func (in *GoogleKmsGcsSpec) DeepCopy() *GoogleKmsGcsSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GoogleKmsGcsSpec.
func (*GoogleKmsGcsSpec) DeepCopyInto ¶
func (in *GoogleKmsGcsSpec) DeepCopyInto(out *GoogleKmsGcsSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type InmemSpec ¶
type InmemSpec struct{}
ref: https://www.vaultproject.io/docs/configuration/storage/in-memory.html
func (*InmemSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InmemSpec.
func (*InmemSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JWTOIDCConfig ¶
type JWTOIDCConfig struct { // The default lease duration, specified as a string duration like "5s" or "30m". // +optional DefaultLeaseTTL string `json:"defaultLeaseTTL,omitempty"` // The maximum lease duration, specified as a string duration like "5s" or "30m". // +optional MaxLeaseTTL string `json:"maxLeaseTTL,omitempty"` // The name of the plugin in the plugin catalog to use. // +optional PluginName string `json:"pluginName,omitempty"` // List of keys that will not be HMAC'd by audit devices in the request data object. // +optional AuditNonHMACRequestKeys []string `json:"auditNonHMACRequestKeys,omitempty"` // List of keys that will not be HMAC'd by audit devices in the response data object. // +optional AuditNonHMACResponseKeys []string `json:"auditNonHMACResponseKeys,omitempty"` // Speficies whether to show this mount in the UI-specific listing endpoint. // +optional ListingVisibility string `json:"listingVisibility,omitempty"` // List of headers to whitelist and pass from the request to the backend. // +optional PassthroughRequestHeaders []string `json:"passthroughRequestHeaders,omitempty"` // CredentialSecretRef // +optional CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` // TLSSecretRef // +optional TLSSecretRef *core.LocalObjectReference `json:"tlsSecretRef,omitempty"` // common configuration parameters // The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys". // +optional OIDCDiscoveryURL string `json:"oidcDiscoveryURL,omitempty"` // The OAuth Client ID from the provider for OIDC roles. // +optional OIDCClientID string `json:"oidcClientID,omitempty"` // The response mode to be used in the OAuth2 request. Allowed values are "query" and "form_post". Defaults to "query". // If using Vault namespaces, and oidc_response_mode is "form_post", then "namespace_in_state" should be set to false. // +optional OIDCResponseMode string `json:"oidcResponseMode,omitempty"` // (comma-separated string, or array of strings: <optional>) - The response types to request. // Allowed values are "code" and "id_token". Defaults to "code". Note: "id_token" may only be used if "oidc_response_mode" is set to "form_post". // +optional OIDCResponseTypes string `json:"oidcResponseTypes,omitempty"` // The default role to use if none is provided during login // +optional DefaultRole string `json:"defaultRole,omitempty"` // Configuration options for provider-specific handling. // Providers with specific handling include: Azure, Google. The options are described in each provider's section in OIDC Provider Setup. // +optional ProviderConfig map[string]string `json:"providerConfig,omitempty"` // JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". // +optional JWKSURL string `json:"jwksURL,omitempty"` // (comma-separated string, or array of strings: <optional>) // A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url". JWTValidationPubkeys []string `json:"jwtValidationPubkeys,omitempty"` // (comma-separated string, or array of strings: <optional>) // A list of supported signing algorithms. Defaults to [RS256] for OIDC roles. Defaults to all available algorithms for JWT roles. // +optional JWTSupportedAlgs []string `json:"jwtSupportedAlgs,omitempty"` // The value against which to match the iss claim in a JWT. // +optional BoundIssuer string `json:"boundIssuer,omitempty"` }
func (*JWTOIDCConfig) DeepCopy ¶
func (in *JWTOIDCConfig) DeepCopy() *JWTOIDCConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTOIDCConfig.
func (*JWTOIDCConfig) DeepCopyInto ¶
func (in *JWTOIDCConfig) DeepCopyInto(out *JWTOIDCConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KubernetesConfig ¶
type KubernetesConfig struct { // The default lease duration, specified as a string duration like "5s" or "30m". // +optional DefaultLeaseTTL string `json:"defaultLeaseTTL,omitempty"` // The maximum lease duration, specified as a string duration like "5s" or "30m". // +optional MaxLeaseTTL string `json:"maxLeaseTTL,omitempty"` // The name of the plugin in the plugin catalog to use. // +optional PluginName string `json:"pluginName,omitempty"` // List of keys that will not be HMAC'd by audit devices in the request data object. // +optional AuditNonHMACRequestKeys []string `json:"auditNonHMACRequestKeys,omitempty"` // List of keys that will not be HMAC'd by audit devices in the response data object. // +optional AuditNonHMACResponseKeys []string `json:"auditNonHMACResponseKeys,omitempty"` // Speficies whether to show this mount in the UI-specific listing endpoint. // +optional ListingVisibility string `json:"listingVisibility,omitempty"` // List of headers to whitelist and pass from the request to the backend. // +optional PassthroughRequestHeaders []string `json:"passthroughRequestHeaders,omitempty"` }
func (*KubernetesConfig) DeepCopy ¶
func (in *KubernetesConfig) DeepCopy() *KubernetesConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesConfig.
func (*KubernetesConfig) DeepCopyInto ¶
func (in *KubernetesConfig) DeepCopyInto(out *KubernetesConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KubernetesSecretSpec ¶
type KubernetesSecretSpec struct {
SecretName string `json:"secretName"`
}
KubernetesSecretSpec contain the fields that required to unseal using kubernetes secret
func (*KubernetesSecretSpec) DeepCopy ¶
func (in *KubernetesSecretSpec) DeepCopy() *KubernetesSecretSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesSecretSpec.
func (*KubernetesSecretSpec) DeepCopyInto ¶
func (in *KubernetesSecretSpec) DeepCopyInto(out *KubernetesSecretSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ModeSpec ¶
type ModeSpec struct { // +optional KubernetesSecret *KubernetesSecretSpec `json:"kubernetesSecret,omitempty"` // +optional GoogleKmsGcs *GoogleKmsGcsSpec `json:"googleKmsGcs,omitempty"` // +optional AwsKmsSsm *AwsKmsSsmSpec `json:"awsKmsSsm,omitempty"` // +optional AzureKeyVault *AzureKeyVault `json:"azureKeyVault,omitempty"` }
ModeSpec contain unseal mechanism
func (*ModeSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ModeSpec.
func (*ModeSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MySQLSpec ¶
type MySQLSpec struct { // Specifies the address of the MySQL host. // if DatabaseRef is set then Address will be generated from it // This must be set if DatabaseRef is empty, validate from ValidatingWebhook // host example: <db-name>.<db-ns>.svc:3306 // +optional Address string `json:"address"` // Specifies the name of the database. If the database does not exist, Vault will attempt to create it. // +optional // +kubebuilder:default:="vault" Database string `json:"database,omitempty"` // Specifies the name of the table. If the table does not exist, Vault will attempt to create it. // +optional // +kubebuilder:default:="vault" Table string `json:"table,omitempty"` // Specifies the MySQL username and password to connect to the database // secret data: // - username=<value> // - password=<value> CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` // Specifies the name of the secret containing the CA certificate to connect using TLS. // secret data: // - ca.crt=<value> // +optional TLSSecretRef *core.LocalObjectReference `json:"tlsSecretRef,omitempty"` // Specifies the maximum number of concurrent requests to take place. // +optional MaxParallel int64 `json:"maxParallel,omitempty"` // DatabaseRef contains the info of KubeDB managed Database // This will be used to generate the "Address" field // +optional DatabaseRef *appcat.AppReference `json:"databaseRef,omitempty"` PlaintextCredentialTransmission string `json:"plaintextCredentialTransmission,omitempty"` // Specifies the maximum number of idle connections to the database. // A zero uses value defaults to 2 idle connections and a negative value disables idle connections. // If larger than max_parallel it will be reduced to be equal. // +optional MaxIdleConnection int64 `json:"maxIdleConnection,omitempty"` // Specifies the maximum amount of time in seconds that a connection may be reused. If <= 0s connections are reused forever. // +optional MaxConnectionLifetime int64 `json:"maxConnectionLifetime,omitempty"` // High Availability Parameter // Specifies if high availability mode is enabled. This is a boolean value, but it is specified as a string like "true" or "false". // +optional // +kubebuilder:default:="true" HAEnabled string `json:"haEnabled,omitempty"` // High Availability Parameter // Specifies the name of the table to use for storing high availability information. // By default, this is the name of the table suffixed with _lock. If the table does not exist, Vault will attempt to create it. // +optional // +kubebuilder:default:="vault_lock" LockTable string `json:"lockTable,omitempty"` }
vault doc: https://www.vaultproject.io/docs/configuration/storage/mysql.html
MySQLSpec defines configuration to set up MySQL Storage as backend storage in vault
func (*MySQLSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLSpec.
func (*MySQLSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type NamedServiceTemplateSpec ¶
type NamedServiceTemplateSpec struct { // Alias represents the identifier of the service. Alias ServiceAlias `json:"alias"` // ServiceTemplate is an optional configuration for a service used to expose VaultServer // +optional ofst.ServiceTemplateSpec `json:",inline,omitempty"` }
func (*NamedServiceTemplateSpec) DeepCopy ¶
func (in *NamedServiceTemplateSpec) DeepCopy() *NamedServiceTemplateSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedServiceTemplateSpec.
func (*NamedServiceTemplateSpec) DeepCopyInto ¶
func (in *NamedServiceTemplateSpec) DeepCopyInto(out *NamedServiceTemplateSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PostgreSQLSpec ¶
type PostgreSQLSpec struct { // Specifies the address of the Postgres host. // if DatabaseRef is set then Address will be generated from it // This must be set if DatabaseRef is empty, validate from ValidatingWebhook // host example: <db-name>.<db-ns>.svc:3306 // +optional Address string `json:"address"` // - username=<value> // - password=<value> // - connection_url="postgres://<username>:<password>@<host>:<port>/<db_name>" CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` // DatabaseRef contains the info of KubeDB managed Database // This will be used to generate the "Address" field DatabaseRef *appcat.AppReference `json:"databaseRef,omitempty"` // SSLMode for both standalone and clusters. [disable;require;verify-ca;verify-full] SSLMode PostgresSSLMode `json:"sslMode,omitempty"` // Specifies the name of the table in which to write Vault data. // This table must already exist (Vault will not attempt to create it). // +optional // +kubebuilder:default:="vault_kv_store" Table string `json:"table,omitempty"` // Specifies the maximum number of concurrent requests to take place. // +optional MaxParallel int64 `json:"maxParallel,omitempty"` // Default not set. Sets the maximum number of connections in the idle connection pool. // See golang docs on SetMaxIdleConns(https://pkg.go.dev/database/sql#DB.SetMaxIdleConns) for more information. Requires 1.2 or later. // +optional MaxIdleConnection int64 `json:"maxIdleConnection,omitempty"` // High Availability Parameter // Default not enabled, requires 9.5 or later // Specifies if high availability mode is enabled. This is a boolean value, but it is specified as a string like "true" or "false". // +optional // +kubebuilder:default:="false" HAEnabled string `json:"haEnabled,omitempty"` // Specifies the name of the table to use for storing high availability information. This table must already exist (Vault will not attempt to create it). // +optional // +kubebuilder:default:="vault_ha_locks" HATable string `json:"haTable,omitempty"` }
vault doc: https://www.vaultproject.io/docs/configuration/storage/postgresql.html
PostgreSQLSpec defines configuration to set up PostgreSQL storage as backend storage in vault
func (*PostgreSQLSpec) DeepCopy ¶
func (in *PostgreSQLSpec) DeepCopy() *PostgreSQLSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgreSQLSpec.
func (*PostgreSQLSpec) DeepCopyInto ¶
func (in *PostgreSQLSpec) DeepCopyInto(out *PostgreSQLSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PostgresSSLMode ¶
type PostgresSSLMode string
+kubebuilder:validation:Enum=disable;require;verify-ca;verify-full
const ( // PostgresSSLModeDisable represents `disable` sslMode. It ensures that the server does not use TLS/SSL. PostgresSSLModeDisable PostgresSSLMode = "disable" // Always SSL (skip verification) PostgressSSLModeRequire PostgresSSLMode = "require" // Always SSL (verify that the certificate presented by the server was signed by a trusted CA) PostgressSSLModeVerifyCA PostgresSSLMode = "verify-ca" // PostgresSSLModeVerifyFull represents `verify-full` sslmode. I want my data encrypted, and I accept the overhead. // I want to be sure that I connect to a server I trust, and that it's the one I specify. PostgresSSLModeVerifyFull PostgresSSLMode = "verify-full" )
type RaftSpec ¶
type RaftSpec struct { // An integer multiplier used by servers to scale key Raft timing parameters. // Tuning this affects the time it takes Vault to detect leader failures and to perform leader elections, // at the expense of requiring more network and CPU resources for better performance. // default: 0 // +optional PerformanceMultiplier int64 `json:"performanceMultiplier,omitempty"` // This controls how many log entries are left in the log store on disk after a snapshot is made. // default: 10000 // +optional TrailingLogs *int64 `json:"trailingLogs,omitempty"` // This controls the minimum number of raft commit entries between snapshots that are saved to disk. // default: 8192 // +optional SnapshotThreshold *int64 `json:"snapshotThreshold,omitempty"` // This configures the maximum number of bytes for a raft entry. It applies to both Put operations and transactions. // default: 1048576 // +optional MaxEntrySize *int64 `json:"maxEntrySize,omitempty"` // This is the interval after which autopilot will pick up any state changes. // default: "" // +optional AutopilotReconcileInterval string `json:"autopilotReconcileInterval,omitempty"` // Storage to specify how storage shall be used. Storage *core.PersistentVolumeClaimSpec `json:"storage,omitempty"` }
RaftSpec defines the configuration for the Raft integrated storage. https://www.vaultproject.io/docs/configuration/storage/raft
func (*RaftSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RaftSpec.
func (*RaftSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type S3Spec ¶
type S3Spec struct { // Specifies the name of the bucket to use for storage. Bucket string `json:"bucket"` // Specifies an alternative, AWS compatible, S3 endpoint. // +optional Endpoint string `json:"endpoint,omitempty"` // Specifies the AWS region // +optional Region string `json:"region,omitempty"` // Specifies the secret name containing AWS session token, AWS access key and AWS secret key // secret data: // - access_key=<value> // - secret_key=<value> // - session_token=<value> // +optional CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` // Specifies the maximum number of parallel operations to take place. // +optional MaxParallel int64 `json:"maxParallel,omitempty"` // Specifies whether to use host bucket style domains with the configured endpoint. // +optional ForcePathStyle bool `json:"forcePathStyle,omitempty"` // Specifies if SSL should be used for the endpoint connection // +optional DisableSSL bool `json:"disableSSL,omitempty"` }
vault doc: https://www.vaultproject.io/docs/configuration/storage/s3.html
S3Spec defines configuration to set up Amazon S3 Storage as backend storage in vault
func (*S3Spec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3Spec.
func (*S3Spec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SecretEngineNamespaces ¶
type SecretEngineNamespaces struct { // From indicates where Secret Engines will be selected for this VaultServer. Possible // values are: // * All: Secret Engines in all namespaces may be used by this VaultServer. // * Selector: Secret Engines in namespaces selected by the selector may be used by // this VaultServer. // * Same: Only Secret Engines in the same namespace may be used by this VaultServer. // // +optional // +kubebuilder:default=Same From *FromNamespaces `json:"from,omitempty"` // Selector must be specified when From is set to "Selector". In that case, // only Secret Engines in Namespaces matching this Selector will be selected by this // VaultServer. This field is ignored for other values of "From". // // +optional Selector *metav1.LabelSelector `json:"selector,omitempty"` }
SecretEngineNamespaces indicate which namespaces Secret Engines should be selected from.
func (*SecretEngineNamespaces) DeepCopy ¶
func (in *SecretEngineNamespaces) DeepCopy() *SecretEngineNamespaces
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretEngineNamespaces.
func (*SecretEngineNamespaces) DeepCopyInto ¶
func (in *SecretEngineNamespaces) DeepCopyInto(out *SecretEngineNamespaces)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SecretEngineType ¶
type SecretEngineType string
+kubebuilder:validation:Enum=kv;pki;aws;azure;gcp;postgres;mongodb;mysql;mariadb;elasticsearch;redis
const ( SecretEngineTypeKV SecretEngineType = "kv" SecretEngineTypePKI SecretEngineType = "pki" SecretEngineTypeAWS SecretEngineType = "aws" SecretEngineTypeAzure SecretEngineType = "azure" SecretEngineTypeGCP SecretEngineType = "gcp" SecretEngineTypePostgres SecretEngineType = "postgres" SecretEngineTypeMongoDB SecretEngineType = "mongodb" SecretEngineTypeMySQL SecretEngineType = "mysql" SecretEngineTypeMariaDB SecretEngineType = "mariadb" SecretEngineTypeElasticsearch SecretEngineType = "elasticsearch" SecretEngineTypeRedis SecretEngineType = "redis" )
type ServiceAlias ¶
type ServiceAlias string
+kubebuilder:validation:Enum=internal;vault;stats
const ( VaultServerServiceInternal ServiceAlias = "internal" VaultServerServiceVault ServiceAlias = "vault" VaultServerServiceStats ServiceAlias = "stats" )
type SwiftSpec ¶
type SwiftSpec struct { // Specifies the OpenStack authentication endpoint. AuthURL string `json:"authURL"` // Specifies the name of the Swift container. Container string `json:"container"` // Specifies the name of the secret containing the OpenStack account/username and password // Specifies secret containing auth token from alternate authentication. // secret data: // - username=<value> // - password=<value> // - auth_token=<value> // +optional CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"` // Specifies the name of the tenant. If left blank, this will default to the default tenant of the username. // +optional Tenant string `json:"tenant,omitempty"` // Specifies the name of the region. // +optional Region string `json:"region,omitempty"` // Specifies the id of the tenant. // +optional TenantID string `json:"tenantID,omitempty"` // Specifies the name of the user domain. // +optional Domain string `json:"domain,omitempty"` // Specifies the name of the project's domain. // +optional ProjectDomain string `json:"projectDomain,omitempty"` // Specifies the id of the trust. // +optional TrustID string `json:"trustID,omitempty"` // Specifies storage URL from alternate authentication. // +optional StorageURL string `json:"storageURL,omitempty"` // Specifies the maximum number of concurrent requests to take place. // +optional MaxParallel int64 `json:"maxParallel,omitempty"` }
vault doc: https://www.vaultproject.io/docs/configuration/storage/swift.html
SwiftSpec defines configuration to set up Swift Storage as backend storage in vault
func (*SwiftSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SwiftSpec.
func (*SwiftSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TLSPolicy ¶
type TLSPolicy struct { // TLSSecret is the secret containing TLS certs used by each vault node // for the communication between the vault server and its clients. // The secret should contain three files: // - tls.crt // - tls.key // // The server certificate must allow the following wildcard domains: // - localhost // - *.<namespace>.pod // - <vaultServer-name>.<namespace>.svc TLSSecret string `json:"tlsSecret"` // CABundle is a PEM encoded CA bundle which will be used to validate the serving certificate. // +optional CABundle []byte `json:"caBundle,omitempty"` }
TLSPolicy defines the TLS policy of the vault nodes If this is not set, operator will auto-gen TLS assets and secrets.
func (*TLSPolicy) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSPolicy.
func (*TLSPolicy) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TerminationPolicy ¶
type TerminationPolicy string
+kubebuilder:validation:Enum=Halt;Delete;WipeOut;DoNotTerminate
const ( // Deletes VaultServer pods, service but leave the PVCs and stash backup data intact. TerminationPolicyHalt TerminationPolicy = "Halt" // Deletes VaultServer pods, service, pvcs but leave the stash backup data intact. TerminationPolicyDelete TerminationPolicy = "Delete" // Deletes VaultServer pods, service, pvcs and stash backup data. TerminationPolicyWipeOut TerminationPolicy = "WipeOut" // Rejects attempt to delete VaultServer using ValidationWebhook. TerminationPolicyDoNotTerminate TerminationPolicy = "DoNotTerminate" )
type UnsealerSpec ¶
type UnsealerSpec struct { // +optional SecretShares int64 `json:"secretShares,omitempty"` // Minimum required secret shares to unseal // +optional SecretThreshold int64 `json:"secretThreshold,omitempty"` // How often to attempt to unseal the vault instance // +optional RetryPeriodSeconds time.Duration `json:"retryPeriodSeconds,omitempty"` // overwrite existing unseal keys and root tokens, possibly dangerous! // +optional OverwriteExisting bool `json:"overwriteExisting,omitempty"` // should the root token be stored in the key store (default true) // +optional StoreRootToken bool `json:"storeRootToken,omitempty"` // mode contains unseal mechanism // +optional Mode ModeSpec `json:"mode,omitempty"` }
UnsealerSpec contain the configuration for auto vault initialize/unseal
func (*UnsealerSpec) DeepCopy ¶
func (in *UnsealerSpec) DeepCopy() *UnsealerSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UnsealerSpec.
func (*UnsealerSpec) DeepCopyInto ¶
func (in *UnsealerSpec) DeepCopyInto(out *UnsealerSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultCertificateAlias ¶
type VaultCertificateAlias string
+kubebuilder:validation:Enum=ca;server;client;storage
const ( VaultCACert VaultCertificateAlias = "ca" VaultServerCert VaultCertificateAlias = "server" VaultClientCert VaultCertificateAlias = "client" VaultStorageCert VaultCertificateAlias = "storage" )
type VaultServer ¶
type VaultServer struct { metav1.TypeMeta `json:",inline,omitempty"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec VaultServerSpec `json:"spec,omitempty"` Status VaultServerStatus `json:"status,omitempty"` }
+kubebuilder:object:root=true +kubebuilder:storageversion +kubebuilder:resource:path=vaultservers,singular=vaultserver,shortName=vs,categories={vault,appscode,all} +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Replicas",type="string",JSONPath=".spec.replicas" +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version" +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.phase" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
func (VaultServer) AppBindingName ¶
func (v VaultServer) AppBindingName() string
func (*VaultServer) BackupSecretName ¶ added in v0.11.0
func (vs *VaultServer) BackupSecretName() string
func (*VaultServer) CertificateMountPath ¶
func (v *VaultServer) CertificateMountPath(alias VaultCertificateAlias) string
func (VaultServer) ConfigSecretName ¶
func (v VaultServer) ConfigSecretName() string
func (VaultServer) CustomResourceDefinition ¶
func (_ VaultServer) CustomResourceDefinition() *apiextensions.CustomResourceDefinition
func (*VaultServer) DeepCopy ¶
func (in *VaultServer) DeepCopy() *VaultServer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServer.
func (*VaultServer) DeepCopyInto ¶
func (in *VaultServer) DeepCopyInto(out *VaultServer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultServer) DeepCopyObject ¶
func (in *VaultServer) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*VaultServer) DefaultCertSecretName ¶
func (vs *VaultServer) DefaultCertSecretName(alias string) string
Returns the default certificate secret name for given alias.
func (*VaultServer) GetCertSecretName ¶
func (vs *VaultServer) GetCertSecretName(alias string) string
Returns certificate secret name for given alias if exists, otherwise returns the default certificate secret name.
func (*VaultServer) GetCertificateCN ¶
func (vs *VaultServer) GetCertificateCN(alias VaultCertificateAlias) string
func (VaultServer) GetKey ¶
func (v VaultServer) GetKey() string
func (*VaultServer) GetServiceTemplate ¶
func (vs *VaultServer) GetServiceTemplate(alias ServiceAlias) ofst.ServiceTemplateSpec
GetServiceTemplate returns a pointer to the desired serviceTemplate referred by "alias". Otherwise, it returns nil.
func (*VaultServer) Hub ¶
func (*VaultServer) Hub()
func (VaultServer) IsValid ¶
func (v VaultServer) IsValid() error
func (*VaultServer) KeyPrefix ¶
func (vs *VaultServer) KeyPrefix() string
func (VaultServer) OffshootLabels ¶
func (v VaultServer) OffshootLabels() map[string]string
func (VaultServer) OffshootName ¶
func (v VaultServer) OffshootName() string
func (VaultServer) OffshootSelectors ¶
func (v VaultServer) OffshootSelectors() map[string]string
func (VaultServer) PolicyNameForAuthMethod ¶
func (v VaultServer) PolicyNameForAuthMethod(typ AuthMethodType, path string) string
func (VaultServer) PolicyNameForAuthMethodController ¶
func (v VaultServer) PolicyNameForAuthMethodController() string
func (VaultServer) PolicyNameForPolicyController ¶
func (v VaultServer) PolicyNameForPolicyController() string
func (*VaultServer) ReplicasAreReady ¶
func (v *VaultServer) ReplicasAreReady(lister appslister.StatefulSetLister) (bool, string, error)
func (VaultServer) ResourceFQN ¶
func (_ VaultServer) ResourceFQN() string
func (*VaultServer) RootTokenID ¶
func (vs *VaultServer) RootTokenID() string
RootTokenID is the ID that used as key name when storing root token
func (*VaultServer) Scheme ¶
func (vs *VaultServer) Scheme() string
func (VaultServer) ServiceAccountForTokenReviewer ¶
func (v VaultServer) ServiceAccountForTokenReviewer() string
func (VaultServer) ServiceAccountName ¶
func (v VaultServer) ServiceAccountName() string
func (VaultServer) ServiceName ¶
func (v VaultServer) ServiceName(alias ServiceAlias) string
func (*VaultServer) SetHealthCheckerDefaults ¶ added in v0.9.0
func (vs *VaultServer) SetHealthCheckerDefaults()
func (VaultServer) StatsLabels ¶
func (v VaultServer) StatsLabels() map[string]string
func (VaultServer) StatsService ¶
func (v VaultServer) StatsService() mona.StatsAccessor
func (VaultServer) StatsServiceName ¶
func (v VaultServer) StatsServiceName() string
func (VaultServer) TLSSecretName ¶
func (v VaultServer) TLSSecretName() string
func (*VaultServer) UnsealKeyID ¶
func (vs *VaultServer) UnsealKeyID(id int) string
UnsealKeyID is the ID that used as key name when storing unseal key
type VaultServerBackend ¶
type VaultServerBackend string
+kubebuilder:validation:Enum=inmem;etcd;gcs;s3;azure;postgresql;mysql;file;dynamodb;swift;consul;raft
const ( VaultServerInmem VaultServerBackend = "inmem" VaultServerEtcd VaultServerBackend = "etcd" VaultServerGcs VaultServerBackend = "gcs" VaultServerS3 VaultServerBackend = "s3" VaultServerAzure VaultServerBackend = "azure" VaultServerPostgreSQL VaultServerBackend = "postgresql" VaultServerMySQL VaultServerBackend = "mysql" VaultServerFile VaultServerBackend = "file" VaultServerDynamoDB VaultServerBackend = "dynamodb" VaultServerSwift VaultServerBackend = "swift" VaultServerConsul VaultServerBackend = "consul" VaultServerRaft VaultServerBackend = "raft" )
type VaultServerList ¶
type VaultServerList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []VaultServer `json:"items,omitempty"` }
func (*VaultServerList) DeepCopy ¶
func (in *VaultServerList) DeepCopy() *VaultServerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServerList.
func (*VaultServerList) DeepCopyInto ¶
func (in *VaultServerList) DeepCopyInto(out *VaultServerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultServerList) DeepCopyObject ¶
func (in *VaultServerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultServerPhase ¶
type VaultServerPhase string
+kubebuilder:validation:Enum=Initializing;Unsealing;Sealed;Ready;NotReady;Critical
const ( // used for VaultServer that are Initializing VaultServerPhaseInitializing VaultServerPhase = "Initializing" // used for VaultServer that are Unsealing VaultServerPhaseUnsealing VaultServerPhase = "Unsealing" // used for VaultServer that are sealed VaultServerPhaseSealed VaultServerPhase = "Sealed" // used for VaultServer that are Ready VaultServerPhaseReady VaultServerPhase = "Ready" // used for VaultServer that are NotReady VaultServerPhaseNotReady VaultServerPhase = "NotReady" // used for VaultServer that are Critical VaultServerPhaseCritical VaultServerPhase = "Critical" )
type VaultServerSpec ¶
type VaultServerSpec struct { // Version of VaultServer to be deployed. Version string `json:"version"` // Number of instances to deploy for a VaultServer. Replicas *int32 `json:"replicas,omitempty"` // ConfigSecret is an optional field to provide extra configuration for vault. // This secret contain extra config for vault // File name should be 'vault.hcl'. // If specified, this file will be appended to the controller configuration file. // +optional ConfigSecret *core.LocalObjectReference `json:"configSecret,omitempty"` // DataSources is a list of Configmaps/Secrets in the same namespace as the VaultServer // object, which shall be mounted into the VaultServer Pods. // The data are mounted into /etc/vault/data/<name>. // The first data will be named as "data-0", second one will be named as "data-1" and so on. // +optional DataSources []core.VolumeSource `json:"dataSources,omitempty"` // TLS policy of vault nodes // +optional TLS *kmapi.TLSConfig `json:"tls,omitempty"` // backend storage configuration for vault Backend BackendStorageSpec `json:"backend"` // Unsealer configuration for vault // +optional Unsealer *UnsealerSpec `json:"unsealer,omitempty"` // Specifies the list of auth methods to enable // +optional AuthMethods []AuthMethod `json:"authMethods,omitempty"` // Monitor is used monitor database instance // +optional Monitor *mona.AgentSpec `json:"monitor,omitempty"` // PodTemplate is an optional configuration for pods used to run vault // +optional PodTemplate ofst.PodTemplateSpec `json:"podTemplate,omitempty"` // ServiceTemplates is an optional configuration for services used to expose database // +optional ServiceTemplates []NamedServiceTemplateSpec `json:"serviceTemplates,omitempty"` // Indicates that the vault server is halted and all offshoot Kubernetes resources except PVCs are deleted. // +optional Halted bool `json:"halted,omitempty"` // TerminationPolicy controls the delete operation for vault server // +optional TerminationPolicy TerminationPolicy `json:"terminationPolicy,omitempty"` // AllowedSecretEngines defines the types of Secret Engines that MAY be attached to a // Listener and the trusted namespaces where those Route resources MAY be // present. // // Although a client request may match multiple route rules, only one rule // may ultimately receive the request. Matching precedence MUST be // determined in order of the following criteria: // // * The most specific match as defined by the Route type. // * The oldest Route based on creation timestamp. For example, a Route with // a creation timestamp of "2020-09-08 01:02:03" is given precedence over // a Route with a creation timestamp of "2020-09-08 01:02:04". // * If everything else is equivalent, the Route appearing first in // alphabetical order (namespace/name) should be given precedence. For // example, foo/bar is given precedence over foo/baz. // // All valid rules within a Route attached to this Listener should be // implemented. Invalid Route rules can be ignored (sometimes that will mean // the full Route). If a Route rule transitions from valid to invalid, // support for that Route rule should be dropped to ensure consistency. For // example, even if a filter specified by a Route rule is invalid, the rest // of the rules within that Route should still be supported. // // Support: Core // +kubebuilder:default={namespaces:{from: Same}} // +optional AllowedSecretEngines *AllowedSecretEngines `json:"allowedSecretEngines,omitempty"` // HealthChecker defines attributes of the health checker // +optional // +kubebuilder:default={periodSeconds: 10, timeoutSeconds: 10, failureThreshold: 1} HealthChecker kmapi.HealthCheckSpec `json:"healthChecker"` }
func (*VaultServerSpec) DeepCopy ¶
func (in *VaultServerSpec) DeepCopy() *VaultServerSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServerSpec.
func (*VaultServerSpec) DeepCopyInto ¶
func (in *VaultServerSpec) DeepCopyInto(out *VaultServerSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultServerStatus ¶
type VaultServerStatus struct { // ObservedGeneration is the most recent generation observed for this resource. It corresponds to the // resource's generation, which is updated on mutation by the API Server. // +optional ObservedGeneration int64 `json:"observedGeneration,omitempty"` // Phase indicates the state this Vault server jumps in. // +optional Phase VaultServerPhase `json:"phase,omitempty"` // Initialized indicates if the Vault service is initialized. // +optional Initialized bool `json:"initialized,omitempty"` // ServiceName is the LB service for accessing vault nodes. // +optional ServiceName string `json:"serviceName,omitempty"` // ClientPort is the port for vault client to access. // It's the same on client LB service and vault nodes. // +optional ClientPort int64 `json:"clientPort,omitempty"` // VaultStatus is the set of Vault node specific statuses: Active, Standby, and Sealed // +optional VaultStatus VaultStatus `json:"vaultStatus,omitempty"` // PodNames of updated Vault nodes. Updated means the Vault container image version // matches the spec's version. // +optional UpdatedNodes []string `json:"updatedNodes,omitempty"` // Represents the latest available observations of a VaultServer current state. // +optional Conditions []kmapi.Condition `json:"conditions,omitempty"` // Status of the vault auth methods // +optional AuthMethodStatus []AuthMethodStatus `json:"authMethodStatus,omitempty"` }
func (*VaultServerStatus) DeepCopy ¶
func (in *VaultServerStatus) DeepCopy() *VaultServerStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServerStatus.
func (*VaultServerStatus) DeepCopyInto ¶
func (in *VaultServerStatus) DeepCopyInto(out *VaultServerStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultStatus ¶
type VaultStatus struct { // PodName of the active Vault node. Active node is unsealed. // Only active node can serve requests. // Vault service only points to the active node. // +optional Active string `json:"active,omitempty"` // PodNames of the standby Vault nodes. Standby nodes are unsealed. // Standby nodes do not process requests, and instead redirect to the active Vault. // +optional Standby []string `json:"standby,omitempty"` // PodNames of Sealed Vault nodes. Sealed nodes MUST be unsealed to // become standby or leader. // +optional Sealed []string `json:"sealed,omitempty"` // PodNames of Unsealed Vault nodes. // +optional Unsealed []string `json:"unsealed,omitempty"` }
func (*VaultStatus) DeepCopy ¶
func (in *VaultStatus) DeepCopy() *VaultStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultStatus.
func (*VaultStatus) DeepCopyInto ¶
func (in *VaultStatus) DeepCopyInto(out *VaultStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.