v1alpha2

package
v0.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 27, 2024 License: Apache-2.0 Imports: 29 Imported by: 15

Documentation

Overview

+k8s:deepcopy-gen=package,register +k8s:openapi-gen=true +k8s:defaulter-gen=TypeMeta +groupName=kubevault.com

Index

Constants

View Source
const (
	VaultContainerName         = "vault"
	VaultUnsealerContainerName = "vault-unsealer"
	VaultInitContainerName     = "vault-config"
	VaultExporterContainerName = "vault-exporter"
)
View Source
const (
	VaultServerAnnotationName      = "vaultservers.kubevault.com/name"
	VaultServerAnnotationNamespace = "vaultservers.kubevault.com/namespace"
)
View Source
const (
	ResourceKindVaultServer = "VaultServer"
	ResourceVaultServer     = "vaultserver"
	ResourceVaultServers    = "vaultservers"
)

Variables

View Source
var (
	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
	SchemeBuilder runtime.SchemeBuilder

	AddToScheme = localSchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: kubevault.GroupName, Version: "v1alpha2"}

Functions

func Kind

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns a Group qualified GroupKind

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type AllowedSecretEngines

type AllowedSecretEngines struct {
	// Namespaces indicates namespaces from which Secret Engines may be attached to this
	// Listener. This is restricted to the namespace of this VaultServer by default.
	//
	// +optional
	// +kubebuilder:default={from: Same}
	Namespaces *SecretEngineNamespaces `json:"namespaces,omitempty"`

	// SecretEngines specifies the types of Secret Engines that are allowed to bind
	// to this VaultServer. When unspecified or empty, all types of Secret Engines
	// are allowed.
	//
	// +optional
	SecretEngines []SecretEngineType `json:"secretEngines,omitempty"`
}

AllowedSecretEngines defines which Secret Engines may be attached to this Listener.

func (*AllowedSecretEngines) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedSecretEngines.

func (*AllowedSecretEngines) DeepCopyInto

func (in *AllowedSecretEngines) DeepCopyInto(out *AllowedSecretEngines)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthMethod

type AuthMethod struct {
	//  Specifies the name of the authentication method type, such as "github" or "token".
	Type AuthMethodType `json:"type"`

	// Specifies the path in which to enable the auth method.
	// Default value is the same as the 'type'
	Path string `json:"path"`

	// Specifies a human-friendly description of the auth method.
	// +optional
	Description string `json:"description,omitempty"`

	// Kubernetes auth config
	KubernetesConfig *KubernetesConfig `json:"kubernetesConfig,omitempty"`

	// OIDC auth config
	OIDCConfig *JWTOIDCConfig `json:"oidcConfig,omitempty"`

	// JWT auth config
	JWTConfig *JWTOIDCConfig `json:"jwtConfig,omitempty"`

	// Specifies the name of the auth plugin to use based from the name in the plugin catalog.
	// Applies only to plugin methods.
	// +optional
	PluginName string `json:"pluginName,omitempty"`

	// Specifies if the auth method is a local only. Local auth methods are not replicated nor (if a secondary) removed by replication.
	// +optional
	Local bool `json:"local,omitempty"`
}

AuthMethod contains the information to enable vault auth method links: https://www.vaultproject.io/api/system/auth.html

func (*AuthMethod) DeepCopy

func (in *AuthMethod) DeepCopy() *AuthMethod

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthMethod.

func (*AuthMethod) DeepCopyInto

func (in *AuthMethod) DeepCopyInto(out *AuthMethod)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthMethodEnableDisableStatus

type AuthMethodEnableDisableStatus string

+kubebuilder:validation:Enum=EnableSucceeded;EnableFailed;DisableSucceeded;DisableFailed

const (
	AuthMethodEnableSucceeded  AuthMethodEnableDisableStatus = "EnableSucceeded"
	AuthMethodEnableFailed     AuthMethodEnableDisableStatus = "EnableFailed"
	AuthMethodDisableSucceeded AuthMethodEnableDisableStatus = "DisableSucceeded"
	AuthMethodDisableFailed    AuthMethodEnableDisableStatus = "DisableFailed"
)

type AuthMethodStatus

type AuthMethodStatus struct {
	//  Specifies the name of the authentication method type, such as "github" or "token".
	Type AuthMethodType `json:"type"`

	// Specifies the path in which to enable the auth method.
	Path string `json:"path"`

	// Specifies whether auth method is enabled or not
	Status AuthMethodEnableDisableStatus `json:"status"`

	// Specifies the reason why failed to enable auth method
	// +optional
	Reason string `json:"reason,omitempty"`
}

AuthMethodStatus specifies the status of the auth method maintained by the auth method controller

func (*AuthMethodStatus) DeepCopy

func (in *AuthMethodStatus) DeepCopy() *AuthMethodStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthMethodStatus.

func (*AuthMethodStatus) DeepCopyInto

func (in *AuthMethodStatus) DeepCopyInto(out *AuthMethodStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthMethodType

type AuthMethodType string

+kubebuilder:validation:Enum=kubernetes;aws;gcp;userpass;cert;azure;jwt;oidc

const (
	AuthTypeKubernetes AuthMethodType = "kubernetes"
	AuthTypeAws        AuthMethodType = "aws"
	AuthTypeGcp        AuthMethodType = "gcp"
	AuthTypeUserPass   AuthMethodType = "userpass"
	AuthTypeCert       AuthMethodType = "cert"
	AuthTypeAzure      AuthMethodType = "azure"
	AuthTypeJWT        AuthMethodType = "jwt"
	AuthTypeOIDC       AuthMethodType = "oidc"
)

type AwsKmsSsmSpec

type AwsKmsSsmSpec struct {
	// The ID or ARN of the AWS KMS key to encrypt values
	KmsKeyID string `json:"kmsKeyID"`

	// +optional
	// An optional Key prefix for SSM Parameter store
	SsmKeyPrefix string `json:"ssmKeyPrefix,omitempty"`

	Region string `json:"region,omitempty"`

	// Specifies the secret name containing AWS access key and AWS secret key
	// secret data:
	//  - access_key:<value>
	//  - secret_key:<value>
	// +optional
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`

	// Used to make AWS KMS requests. This is useful,
	// for example, when connecting to KMS over a VPC Endpoint.
	// If not set, Vault will use the default API endpoint for your region.
	Endpoint string `json:"endpoint,omitempty"`
}

AwsKmsSsmSpec contain the fields that required to unseal vault using aws kms ssm

func (*AwsKmsSsmSpec) DeepCopy

func (in *AwsKmsSsmSpec) DeepCopy() *AwsKmsSsmSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsKmsSsmSpec.

func (*AwsKmsSsmSpec) DeepCopyInto

func (in *AwsKmsSsmSpec) DeepCopyInto(out *AwsKmsSsmSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AzureKeyVault

type AzureKeyVault struct {
	// Azure key vault url, for example https://myvault.vault.azure.net
	VaultBaseURL string `json:"vaultBaseURL"`

	// The cloud environment identifier
	// default: "AZUREPUBLICCLOUD"
	// +optional
	Cloud string `json:"cloud,omitempty"`

	// The AAD Tenant ID
	TenantID string `json:"tenantID"`

	// Specifies the name of secret containing client cert and client cert password
	// secret data:
	//  - client-cert:<value>
	// 	- client-cert-password: <value>
	// +optional
	TLSSecretRef *core.LocalObjectReference `json:"tlsSecretRef,omitempty"`

	// Specifies the name of secret containing client id and client secret of AAD application
	// secret data:
	//  - client-id:<value>
	//  - client-secret:<value>
	// +optional
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`

	// Use managed service identity for the virtual machine
	// +optional
	UseManagedIdentity bool `json:"useManagedIdentity,omitempty"`
}

AzureKeyVault contain the fields that required to unseal vault using azure key vault

func (*AzureKeyVault) DeepCopy

func (in *AzureKeyVault) DeepCopy() *AzureKeyVault

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKeyVault.

func (*AzureKeyVault) DeepCopyInto

func (in *AzureKeyVault) DeepCopyInto(out *AzureKeyVault)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AzureSpec

type AzureSpec struct {
	// Specifies the Azure Storage account name.
	AccountName string `json:"accountName"`

	// Specifies the secret containing Azure Storage account key.
	// secret data:
	//  - account_key:<value>
	// +optional
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`

	// Specifies the Azure Storage Blob container name.
	Container string `json:"container"`

	//  Specifies the maximum number of concurrent operations to take place.
	// +optional
	MaxParallel int64 `json:"maxParallel,omitempty"`
}

vault doc: https://www.vaultproject.io/docs/configuration/storage/azure.html

AzureSpec defines configuration to set up Google Cloud Storage as backend storage in vault

func (*AzureSpec) DeepCopy

func (in *AzureSpec) DeepCopy() *AzureSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureSpec.

func (*AzureSpec) DeepCopyInto

func (in *AzureSpec) DeepCopyInto(out *AzureSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type BackendStorageSpec

type BackendStorageSpec struct {
	// ref: https://www.vaultproject.io/docs/configuration/storage/in-memory.html
	// +optional
	Inmem *InmemSpec `json:"inmem,omitempty"`

	// +optional
	Etcd *EtcdSpec `json:"etcd,omitempty"`

	// +optional
	Gcs *GcsSpec `json:"gcs,omitempty"`

	// +optional
	S3 *S3Spec `json:"s3,omitempty"`

	// +optional
	Azure *AzureSpec `json:"azure,omitempty"`

	// +optional
	PostgreSQL *PostgreSQLSpec `json:"postgresql,omitempty"`

	// +optional
	MySQL *MySQLSpec `json:"mysql,omitempty"`

	// +optional
	File *FileSpec `json:"file,omitempty"`

	// +optional
	DynamoDB *DynamoDBSpec `json:"dynamodb,omitempty"`

	// +optional
	Swift *SwiftSpec `json:"swift,omitempty"`

	// +optional
	Consul *ConsulSpec `json:"consul,omitempty"`

	// +optional
	Raft *RaftSpec `json:"raft,omitempty"`
}

TODO : set defaults and validation BackendStorageSpec defines storage backend configuration of vault

func (*BackendStorageSpec) DeepCopy

func (in *BackendStorageSpec) DeepCopy() *BackendStorageSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendStorageSpec.

func (*BackendStorageSpec) DeepCopyInto

func (in *BackendStorageSpec) DeepCopyInto(out *BackendStorageSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*BackendStorageSpec) GetBackendType

func (vsb *BackendStorageSpec) GetBackendType() (VaultServerBackend, error)

type ConsulSpec

type ConsulSpec struct {
	// Specifies the address of the Consul agent to communicate with.
	// This can be an IP address, DNS record, or unix socket.
	// +optional
	Address string `json:"address,omitempty"`

	// Specifies the check interval used to send health check information
	// back to Consul.
	// This is specified using a label suffix like "30s" or "1h".
	// +optional
	CheckTimeout string `json:"checkTimeout,omitempty"`

	// Specifies the Consul consistency mode.
	// Possible values are "default" or "strong".
	// +optional
	ConsistencyMode string `json:"consistencyMode,omitempty"`

	// Specifies whether Vault should register itself with Consul.
	// Possible values are "true" or "false"
	// +optional
	DisableRegistration string `json:"disableRegistration,omitempty"`

	// Specifies the maximum number of concurrent requests to Consul.
	// +optional
	MaxParallel string `json:"maxParallel,omitempty"`

	// Specifies the path in Consul's key-value store
	// where Vault data will be stored.
	// +optional
	Path string `json:"path,omitempty"`

	// Specifies the scheme to use when communicating with Consul.
	// This can be set to "http" or "https".
	// +optional
	Scheme string `json:"scheme,omitempty"`

	// Specifies the name of the service to register in Consul.
	// +optional
	Service string `json:"service,omitempty"`

	// Specifies a comma-separated list of tags
	// to attach to the service registration in Consul.
	// +optional
	ServiceTags string `json:"serviceTags,omitempty"`

	// Specifies a service-specific address to set on the service registration
	// in Consul.
	// If unset, Vault will use what it knows to be the HA redirect address
	// - which is usually desirable.
	// Setting this parameter to "" will tell Consul to leverage the configuration
	// of the node the service is registered on dynamically.
	// +optional
	ServiceAddress string `json:"serviceAddress,omitempty"`

	// Specifies the secret name that contains ACL token with permission
	// to read and write from the path in Consul's key-value store.
	// secret data:
	//  - aclToken:<value>
	// +optional
	ACLTokenSecretRef *core.LocalObjectReference `json:"aclTokenSecretRef,omitempty"`

	// Specifies the minimum allowed session TTL.
	// Consul server has a lower limit of 10s on the session TTL by default.
	// +optional
	SessionTTL string `json:"sessionTTL,omitempty"`

	// Specifies the wait time before a lock lock acquisition is made.
	// This affects the minimum time it takes to cancel a lock acquisition.
	// +optional
	LockWaitTime string `json:"lockWaitTime,omitempty"`

	// Specifies the secret name that contains tls_ca_file, tls_cert_file and tls_key_file
	// for consul communication
	// Secret data:
	//  - ca.crt
	//  - tls.crt
	//  - tls.key
	// +optional
	TLSSecretRef *core.LocalObjectReference `json:"tlsSecretRef,omitempty"`

	// Specifies the minimum TLS version to use.
	// Accepted values are "tls10", "tls11" or "tls12".
	// +optional
	TLSMinVersion string `json:"tlsMinVersion,omitempty"`

	// Specifies if the TLS host verification should be disabled.
	// It is highly discouraged that you disable this option.
	// +optional
	TLSSkipVerify bool `json:"tlsSkipVerify,omitempty"`
}

ref: https://www.vaultproject.io/docs/configuration/storage/consul.html

ConsulSpec defines the configuration to set up consul as backend storage in vault

func (*ConsulSpec) DeepCopy

func (in *ConsulSpec) DeepCopy() *ConsulSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConsulSpec.

func (*ConsulSpec) DeepCopyInto

func (in *ConsulSpec) DeepCopyInto(out *ConsulSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type DynamoDBSpec

type DynamoDBSpec struct {
	// Specifies an alternative, AWS compatible, DynamoDB endpoint.
	// +optional
	Endpoint string `json:"endpoint,omitempty"`

	// Specifies the AWS region
	// +optional
	Region string `json:"region,omitempty"`

	// Specifies whether this backend should be used to run Vault in high availability mode.
	// +optional
	HaEnabled bool `json:"haEnabled,omitempty"`

	// Specifies the maximum number of reads consumed per second on the table
	// +optional
	ReadCapacity int64 `json:"readCapacity,omitempty"`

	// Specifies the maximum number of writes performed per second on the table.
	// +optional
	WriteCapacity int64 `json:"writeCapacity,omitempty"`

	// Specifies the name of the DynamoDB table in which to store Vault data.
	// If the specified table does not yet exist, it will be created during initialization.
	// default: vault-dynamodb-backend
	// +optional
	Table string `json:"table,omitempty"`

	// Specifies the secret name containing AWS session token, AWS access key and AWS secret key
	// secret data:
	//  - access_key=<value>
	//  - secret_key=<value>
	//  - session_token=<value>
	// +optional
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`

	// Specifies the maximum number of parallel operations to take place.
	// +optional
	MaxParallel int64 `json:"maxParallel,omitempty"`
}

vault doc: https://www.vaultproject.io/docs/configuration/storage/dynamodb.html

DynamoDBSpec defines configuration to set up DynamoDB Storage as backend storage in vault

func (*DynamoDBSpec) DeepCopy

func (in *DynamoDBSpec) DeepCopy() *DynamoDBSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamoDBSpec.

func (*DynamoDBSpec) DeepCopyInto

func (in *DynamoDBSpec) DeepCopyInto(out *DynamoDBSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EtcdSpec

type EtcdSpec struct {
	// Specifies the addresses of the etcd instances
	Address string `json:"address"`

	// Specifies the version of the API to communicate with etcd
	// +optional
	EtcdApi string `json:"etcdApi,omitempty"`

	// Specifies if high availability should be enabled
	// +optional
	HAEnable bool `json:"haEnable,omitempty"`

	// Specifies the path in etcd where vault data will be stored
	// +optional
	Path string `json:"path,omitempty"`

	// Specifies whether to sync list of available etcd services on startup
	// +optional
	Sync bool `json:"sync,omitempty"`

	// Specifies the domain name to query for SRV records describing cluster endpoints
	// +optional
	DiscoverySrv string `json:"discoverySrv,omitempty"`

	// Specifies the secret name that contain username and password to use when authenticating with the etcd server
	// secret data:
	//  - username:<value>
	//  - password:<value>
	// +optional
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`

	// Specifies the secret name that contains tls_ca_file, tls_cert_file and tls_key_file for etcd communication
	// secret data:
	//  - ca.crt
	//  - tls.crt
	//  - tls.key
	// +optional
	TLSSecretRef *core.LocalObjectReference `json:"tlsSecretRef,omitempty"`
}

TODO : set defaults and validation vault doc: https://www.vaultproject.io/docs/configuration/storage/etcd.html

EtcdSpec defines configuration to set up etcd as backend storage in vault

func (*EtcdSpec) DeepCopy

func (in *EtcdSpec) DeepCopy() *EtcdSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EtcdSpec.

func (*EtcdSpec) DeepCopyInto

func (in *EtcdSpec) DeepCopyInto(out *EtcdSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FileSpec

type FileSpec struct {
	// The absolute path on disk to the directory where the data will be stored.
	// If the directory does not exist, Vault will create it.
	Path string `json:"path"`

	// volumeClaimTemplate is a claim that pods are allowed to reference.
	// The VaultServer controller is responsible for deploying the claim
	// and update the volumeMounts in the Vault server container in the template.
	VolumeClaimTemplate ofst.PersistentVolumeClaim `json:"volumeClaimTemplate"`
}

vault doc: https://www.vaultproject.io/docs/configuration/storage/filesystem.html

FileSpec defines configuration to set up File system Storage as backend storage in vault

func (*FileSpec) DeepCopy

func (in *FileSpec) DeepCopy() *FileSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FileSpec.

func (*FileSpec) DeepCopyInto

func (in *FileSpec) DeepCopyInto(out *FileSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FromNamespaces

type FromNamespaces string

FromNamespaces specifies namespace from which Secret Engines may be attached to a VaultServer.

+kubebuilder:validation:Enum=All;Selector;Same

const (
	// Secret Engines in all namespaces may be attached to this VaultServer.
	NamespacesFromAll FromNamespaces = "All"
	// Only Secret Engines in namespaces selected by the selector may be attached to
	// this VaultServer.
	NamespacesFromSelector FromNamespaces = "Selector"
	// Only Secret Engines in the same namespace as the VaultServer may be attached to this
	// VaultServer.
	NamespacesFromSame FromNamespaces = "Same"
)

type GcsSpec

type GcsSpec struct {
	// Specifies the name of the bucket to use for storage.
	Bucket string `json:"bucket"`

	// Specifies the maximum size (in kilobytes) to send in a single request. If set to 0,
	// it will attempt to send the whole object at once, but will not retry any failures.
	// +optional
	ChunkSize string `json:"chunkSize,omitempty"`

	//  Specifies the maximum number of parallel operations to take place.
	// +optional
	MaxParallel int64 `json:"maxParallel,omitempty"`

	// Specifies if high availability mode is enabled.
	// +optional
	HAEnabled bool `json:"haEnabled,omitempty"`

	// Secret containing Google application credential
	// secret data:
	//  - sa.json:<value>
	// +optional
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`
}

vault doc: https://www.vaultproject.io/docs/configuration/storage/google-cloud-storage.html

GcsSpec defines configuration to set up Google Cloud Storage as backend storage in vault

func (*GcsSpec) DeepCopy

func (in *GcsSpec) DeepCopy() *GcsSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcsSpec.

func (*GcsSpec) DeepCopyInto

func (in *GcsSpec) DeepCopyInto(out *GcsSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GoogleKmsGcsSpec

type GoogleKmsGcsSpec struct {
	// The name of the Google Cloud KMS crypto key to use
	KmsCryptoKey string `json:"kmsCryptoKey"`

	// The name of the Google Cloud KMS key ring to use
	KmsKeyRing string `json:"kmsKeyRing"`

	// The Google Cloud KMS location to use (eg. 'global', 'europe-west1')
	KmsLocation string `json:"kmsLocation"`

	// The Google Cloud KMS project to use
	KmsProject string `json:"kmsProject"`

	// The name of the Google Cloud Storage bucket to store values in
	Bucket string `json:"bucket"`

	// Secret containing Google application credential
	// secret data:
	//  - sa.json:<value>
	// +optional
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`
}

GoogleKmsGcsSpec contain the fields that required to unseal vault using google kms

func (*GoogleKmsGcsSpec) DeepCopy

func (in *GoogleKmsGcsSpec) DeepCopy() *GoogleKmsGcsSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GoogleKmsGcsSpec.

func (*GoogleKmsGcsSpec) DeepCopyInto

func (in *GoogleKmsGcsSpec) DeepCopyInto(out *GoogleKmsGcsSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type InmemSpec

type InmemSpec struct{}

ref: https://www.vaultproject.io/docs/configuration/storage/in-memory.html

func (*InmemSpec) DeepCopy

func (in *InmemSpec) DeepCopy() *InmemSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InmemSpec.

func (*InmemSpec) DeepCopyInto

func (in *InmemSpec) DeepCopyInto(out *InmemSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JWTOIDCConfig

type JWTOIDCConfig struct {
	// The default lease duration, specified as a string duration like "5s" or "30m".
	// +optional
	DefaultLeaseTTL string `json:"defaultLeaseTTL,omitempty"`

	// The maximum lease duration, specified as a string duration like "5s" or "30m".
	// +optional
	MaxLeaseTTL string `json:"maxLeaseTTL,omitempty"`

	// The name of the plugin in the plugin catalog to use.
	// +optional
	PluginName string `json:"pluginName,omitempty"`

	// List of keys that will not be HMAC'd by audit devices in the request data object.
	// +optional
	AuditNonHMACRequestKeys []string `json:"auditNonHMACRequestKeys,omitempty"`

	// List of keys that will not be HMAC'd by audit devices in the response data object.
	// +optional
	AuditNonHMACResponseKeys []string `json:"auditNonHMACResponseKeys,omitempty"`

	// Speficies whether to show this mount in the UI-specific listing endpoint.
	// +optional
	ListingVisibility string `json:"listingVisibility,omitempty"`

	// List of headers to whitelist and pass from the request to the backend.
	// +optional
	PassthroughRequestHeaders []string `json:"passthroughRequestHeaders,omitempty"`

	// CredentialSecretRef
	// +optional
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`

	// TLSSecretRef
	// +optional
	TLSSecretRef *core.LocalObjectReference `json:"tlsSecretRef,omitempty"`

	// common configuration parameters
	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys".
	// +optional
	OIDCDiscoveryURL string `json:"oidcDiscoveryURL,omitempty"`

	// The OAuth Client ID from the provider for OIDC roles.
	// +optional
	OIDCClientID string `json:"oidcClientID,omitempty"`

	// The response mode to be used in the OAuth2 request. Allowed values are "query" and "form_post". Defaults to "query".
	// If using Vault namespaces, and oidc_response_mode is "form_post", then "namespace_in_state" should be set to false.
	// +optional
	OIDCResponseMode string `json:"oidcResponseMode,omitempty"`

	// (comma-separated string, or array of strings: <optional>) - The response types to request.
	// Allowed values are "code" and "id_token". Defaults to "code". Note: "id_token" may only be used if "oidc_response_mode" is set to "form_post".
	// +optional
	OIDCResponseTypes string `json:"oidcResponseTypes,omitempty"`

	// The default role to use if none is provided during login
	// +optional
	DefaultRole string `json:"defaultRole,omitempty"`

	// Configuration options for provider-specific handling.
	// Providers with specific handling include: Azure, Google. The options are described in each provider's section in OIDC Provider Setup.
	// +optional
	ProviderConfig map[string]string `json:"providerConfig,omitempty"`

	// JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
	// +optional
	JWKSURL string `json:"jwksURL,omitempty"`

	// (comma-separated string, or array of strings: <optional>)
	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url".
	JWTValidationPubkeys []string `json:"jwtValidationPubkeys,omitempty"`

	// (comma-separated string, or array of strings: <optional>)
	// A list of supported signing algorithms. Defaults to [RS256] for OIDC roles. Defaults to all available algorithms for JWT roles.
	// +optional
	JWTSupportedAlgs []string `json:"jwtSupportedAlgs,omitempty"`

	// The value against which to match the iss claim in a JWT.
	// +optional
	BoundIssuer string `json:"boundIssuer,omitempty"`
}

func (*JWTOIDCConfig) DeepCopy

func (in *JWTOIDCConfig) DeepCopy() *JWTOIDCConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTOIDCConfig.

func (*JWTOIDCConfig) DeepCopyInto

func (in *JWTOIDCConfig) DeepCopyInto(out *JWTOIDCConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type KubernetesConfig

type KubernetesConfig struct {
	// The default lease duration, specified as a string duration like "5s" or "30m".
	// +optional
	DefaultLeaseTTL string `json:"defaultLeaseTTL,omitempty"`

	// The maximum lease duration, specified as a string duration like "5s" or "30m".
	// +optional
	MaxLeaseTTL string `json:"maxLeaseTTL,omitempty"`

	// The name of the plugin in the plugin catalog to use.
	// +optional
	PluginName string `json:"pluginName,omitempty"`

	// List of keys that will not be HMAC'd by audit devices in the request data object.
	// +optional
	AuditNonHMACRequestKeys []string `json:"auditNonHMACRequestKeys,omitempty"`

	// List of keys that will not be HMAC'd by audit devices in the response data object.
	// +optional
	AuditNonHMACResponseKeys []string `json:"auditNonHMACResponseKeys,omitempty"`

	// Speficies whether to show this mount in the UI-specific listing endpoint.
	// +optional
	ListingVisibility string `json:"listingVisibility,omitempty"`

	// List of headers to whitelist and pass from the request to the backend.
	// +optional
	PassthroughRequestHeaders []string `json:"passthroughRequestHeaders,omitempty"`
}

func (*KubernetesConfig) DeepCopy

func (in *KubernetesConfig) DeepCopy() *KubernetesConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesConfig.

func (*KubernetesConfig) DeepCopyInto

func (in *KubernetesConfig) DeepCopyInto(out *KubernetesConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type KubernetesSecretSpec

type KubernetesSecretSpec struct {
	SecretName string `json:"secretName"`
}

KubernetesSecretSpec contain the fields that required to unseal using kubernetes secret

func (*KubernetesSecretSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesSecretSpec.

func (*KubernetesSecretSpec) DeepCopyInto

func (in *KubernetesSecretSpec) DeepCopyInto(out *KubernetesSecretSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ModeSpec

type ModeSpec struct {
	// +optional
	KubernetesSecret *KubernetesSecretSpec `json:"kubernetesSecret,omitempty"`

	// +optional
	GoogleKmsGcs *GoogleKmsGcsSpec `json:"googleKmsGcs,omitempty"`

	// +optional
	AwsKmsSsm *AwsKmsSsmSpec `json:"awsKmsSsm,omitempty"`

	// +optional
	AzureKeyVault *AzureKeyVault `json:"azureKeyVault,omitempty"`
}

ModeSpec contain unseal mechanism

func (*ModeSpec) DeepCopy

func (in *ModeSpec) DeepCopy() *ModeSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ModeSpec.

func (*ModeSpec) DeepCopyInto

func (in *ModeSpec) DeepCopyInto(out *ModeSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MySQLSpec

type MySQLSpec struct {
	// Specifies the address of the MySQL host.
	// if DatabaseRef is set then Address will be generated from it
	// This must be set if DatabaseRef is empty, validate from ValidatingWebhook
	// host example: <db-name>.<db-ns>.svc:3306
	// +optional
	Address string `json:"address"`

	// Specifies the name of the database. If the database does not exist, Vault will attempt to create it.
	// +optional
	// +kubebuilder:default:="vault"
	Database string `json:"database,omitempty"`

	// Specifies the name of the table. If the table does not exist, Vault will attempt to create it.
	// +optional
	// +kubebuilder:default:="vault"
	Table string `json:"table,omitempty"`

	// Specifies the MySQL username and password to connect to the database
	// secret data:
	//  - username=<value>
	//  - password=<value>
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`

	// Specifies the name of the secret containing the CA certificate to connect using TLS.
	// secret data:
	//  - ca.crt=<value>
	// +optional
	TLSSecretRef *core.LocalObjectReference `json:"tlsSecretRef,omitempty"`

	//  Specifies the maximum number of concurrent requests to take place.
	// +optional
	MaxParallel int64 `json:"maxParallel,omitempty"`

	// DatabaseRef contains the info of KubeDB managed Database
	// This will be used to generate the "Address" field
	// +optional
	DatabaseRef *appcat.AppReference `json:"databaseRef,omitempty"`

	PlaintextCredentialTransmission string `json:"plaintextCredentialTransmission,omitempty"`

	// Specifies the maximum number of idle connections to the database.
	// A zero uses value defaults to 2 idle connections and a negative value disables idle connections.
	// If larger than max_parallel it will be reduced to be equal.
	// +optional
	MaxIdleConnection int64 `json:"maxIdleConnection,omitempty"`

	// Specifies the maximum amount of time in seconds that a connection may be reused. If <= 0s connections are reused forever.
	// +optional
	MaxConnectionLifetime int64 `json:"maxConnectionLifetime,omitempty"`

	// High Availability Parameter
	// Specifies if high availability mode is enabled. This is a boolean value, but it is specified as a string like "true" or "false".
	// +optional
	// +kubebuilder:default:="true"
	HAEnabled string `json:"haEnabled,omitempty"`

	// High Availability Parameter
	// Specifies the name of the table to use for storing high availability information.
	// By default, this is the name of the table suffixed with _lock. If the table does not exist, Vault will attempt to create it.
	// +optional
	// +kubebuilder:default:="vault_lock"
	LockTable string `json:"lockTable,omitempty"`
}

vault doc: https://www.vaultproject.io/docs/configuration/storage/mysql.html

MySQLSpec defines configuration to set up MySQL Storage as backend storage in vault

func (*MySQLSpec) DeepCopy

func (in *MySQLSpec) DeepCopy() *MySQLSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLSpec.

func (*MySQLSpec) DeepCopyInto

func (in *MySQLSpec) DeepCopyInto(out *MySQLSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NamedServiceTemplateSpec

type NamedServiceTemplateSpec struct {
	// Alias represents the identifier of the service.
	Alias ServiceAlias `json:"alias"`

	// ServiceTemplate is an optional configuration for a service used to expose VaultServer
	// +optional
	ofst.ServiceTemplateSpec `json:",inline,omitempty"`
}

func (*NamedServiceTemplateSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedServiceTemplateSpec.

func (*NamedServiceTemplateSpec) DeepCopyInto

func (in *NamedServiceTemplateSpec) DeepCopyInto(out *NamedServiceTemplateSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PostgreSQLSpec

type PostgreSQLSpec struct {
	// Specifies the address of the Postgres host.
	// if DatabaseRef is set then Address will be generated from it
	// This must be set if DatabaseRef is empty, validate from ValidatingWebhook
	// host example: <db-name>.<db-ns>.svc:3306
	// +optional
	Address string `json:"address"`

	//  - username=<value>
	//  - password=<value>
	//  - connection_url="postgres://<username>:<password>@<host>:<port>/<db_name>"
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`

	// DatabaseRef contains the info of KubeDB managed Database
	// This will be used to generate the "Address" field
	DatabaseRef *appcat.AppReference `json:"databaseRef,omitempty"`

	// SSLMode for both standalone and clusters. [disable;require;verify-ca;verify-full]
	SSLMode PostgresSSLMode `json:"sslMode,omitempty"`

	// Specifies the name of the table in which to write Vault data.
	// This table must already exist (Vault will not attempt to create it).
	// +optional
	// +kubebuilder:default:="vault_kv_store"
	Table string `json:"table,omitempty"`

	//  Specifies the maximum number of concurrent requests to take place.
	// +optional
	MaxParallel int64 `json:"maxParallel,omitempty"`

	// Default not set. Sets the maximum number of connections in the idle connection pool.
	// See golang docs on SetMaxIdleConns(https://pkg.go.dev/database/sql#DB.SetMaxIdleConns) for more information. Requires 1.2 or later.
	// +optional
	MaxIdleConnection int64 `json:"maxIdleConnection,omitempty"`

	// High Availability Parameter
	// Default not enabled, requires 9.5 or later
	// Specifies if high availability mode is enabled. This is a boolean value, but it is specified as a string like "true" or "false".
	// +optional
	// +kubebuilder:default:="false"
	HAEnabled string `json:"haEnabled,omitempty"`

	// Specifies the name of the table to use for storing high availability information. This table must already exist (Vault will not attempt to create it).
	// +optional
	// +kubebuilder:default:="vault_ha_locks"
	HATable string `json:"haTable,omitempty"`
}

vault doc: https://www.vaultproject.io/docs/configuration/storage/postgresql.html

PostgreSQLSpec defines configuration to set up PostgreSQL storage as backend storage in vault

func (*PostgreSQLSpec) DeepCopy

func (in *PostgreSQLSpec) DeepCopy() *PostgreSQLSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgreSQLSpec.

func (*PostgreSQLSpec) DeepCopyInto

func (in *PostgreSQLSpec) DeepCopyInto(out *PostgreSQLSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PostgresSSLMode

type PostgresSSLMode string

+kubebuilder:validation:Enum=disable;require;verify-ca;verify-full

const (
	// PostgresSSLModeDisable represents `disable` sslMode. It ensures that the server does not use TLS/SSL.
	PostgresSSLModeDisable PostgresSSLMode = "disable"

	// Always SSL (skip verification)
	PostgressSSLModeRequire PostgresSSLMode = "require"

	// Always SSL (verify that the certificate presented by the server was signed by a trusted CA)
	PostgressSSLModeVerifyCA PostgresSSLMode = "verify-ca"

	// PostgresSSLModeVerifyFull represents `verify-full` sslmode. I want my data encrypted, and I accept the overhead.
	// I want to be sure that I connect to a server I trust, and that it's the one I specify.
	PostgresSSLModeVerifyFull PostgresSSLMode = "verify-full"
)

type RaftSpec

type RaftSpec struct {
	// An integer multiplier used by servers to scale key Raft timing parameters.
	// Tuning this affects the time it takes Vault to detect leader failures and to perform leader elections,
	// at the expense of requiring more network and CPU resources for better performance.
	// default: 0
	// +optional
	PerformanceMultiplier int64 `json:"performanceMultiplier,omitempty"`

	// This controls how many log entries are left in the log store on disk after a snapshot is made.
	// default: 10000
	// +optional
	TrailingLogs *int64 `json:"trailingLogs,omitempty"`

	// This controls the minimum number of raft commit entries between snapshots that are saved to disk.
	// default: 8192
	// +optional
	SnapshotThreshold *int64 `json:"snapshotThreshold,omitempty"`

	// This configures the maximum number of bytes for a raft entry. It applies to both Put operations and transactions.
	// default: 1048576
	// +optional
	MaxEntrySize *int64 `json:"maxEntrySize,omitempty"`

	// This is the interval after which autopilot will pick up any state changes.
	// default: ""
	// +optional
	AutopilotReconcileInterval string `json:"autopilotReconcileInterval,omitempty"`

	// Storage to specify how storage shall be used.
	Storage *core.PersistentVolumeClaimSpec `json:"storage,omitempty"`
}

RaftSpec defines the configuration for the Raft integrated storage. https://www.vaultproject.io/docs/configuration/storage/raft

func (*RaftSpec) DeepCopy

func (in *RaftSpec) DeepCopy() *RaftSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RaftSpec.

func (*RaftSpec) DeepCopyInto

func (in *RaftSpec) DeepCopyInto(out *RaftSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type S3Spec

type S3Spec struct {
	// Specifies the name of the bucket to use for storage.
	Bucket string `json:"bucket"`

	// Specifies an alternative, AWS compatible, S3 endpoint.
	// +optional
	Endpoint string `json:"endpoint,omitempty"`

	// Specifies the AWS region
	// +optional
	Region string `json:"region,omitempty"`

	// Specifies the secret name containing AWS session token, AWS access key and AWS secret key
	// secret data:
	//  - access_key=<value>
	//  - secret_key=<value>
	//  - session_token=<value>
	// +optional
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`

	// Specifies the maximum number of parallel operations to take place.
	// +optional
	MaxParallel int64 `json:"maxParallel,omitempty"`

	// Specifies whether to use host bucket style domains with the configured endpoint.
	// +optional
	ForcePathStyle bool `json:"forcePathStyle,omitempty"`

	// Specifies if SSL should be used for the endpoint connection
	// +optional
	DisableSSL bool `json:"disableSSL,omitempty"`
}

vault doc: https://www.vaultproject.io/docs/configuration/storage/s3.html

S3Spec defines configuration to set up Amazon S3 Storage as backend storage in vault

func (*S3Spec) DeepCopy

func (in *S3Spec) DeepCopy() *S3Spec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3Spec.

func (*S3Spec) DeepCopyInto

func (in *S3Spec) DeepCopyInto(out *S3Spec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SecretEngineNamespaces

type SecretEngineNamespaces struct {
	// From indicates where Secret Engines will be selected for this VaultServer. Possible
	// values are:
	// * All: Secret Engines in all namespaces may be used by this VaultServer.
	// * Selector: Secret Engines in namespaces selected by the selector may be used by
	//   this VaultServer.
	// * Same: Only Secret Engines in the same namespace may be used by this VaultServer.
	//
	// +optional
	// +kubebuilder:default=Same
	From *FromNamespaces `json:"from,omitempty"`

	// Selector must be specified when From is set to "Selector". In that case,
	// only Secret Engines in Namespaces matching this Selector will be selected by this
	// VaultServer. This field is ignored for other values of "From".
	//
	// +optional
	Selector *metav1.LabelSelector `json:"selector,omitempty"`
}

SecretEngineNamespaces indicate which namespaces Secret Engines should be selected from.

func (*SecretEngineNamespaces) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretEngineNamespaces.

func (*SecretEngineNamespaces) DeepCopyInto

func (in *SecretEngineNamespaces) DeepCopyInto(out *SecretEngineNamespaces)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SecretEngineType

type SecretEngineType string

+kubebuilder:validation:Enum=kv;pki;aws;azure;gcp;postgres;mongodb;mysql;mariadb;elasticsearch;redis

const (
	SecretEngineTypeKV            SecretEngineType = "kv"
	SecretEngineTypePKI           SecretEngineType = "pki"
	SecretEngineTypeAWS           SecretEngineType = "aws"
	SecretEngineTypeAzure         SecretEngineType = "azure"
	SecretEngineTypeGCP           SecretEngineType = "gcp"
	SecretEngineTypePostgres      SecretEngineType = "postgres"
	SecretEngineTypeMongoDB       SecretEngineType = "mongodb"
	SecretEngineTypeMySQL         SecretEngineType = "mysql"
	SecretEngineTypeMariaDB       SecretEngineType = "mariadb"
	SecretEngineTypeElasticsearch SecretEngineType = "elasticsearch"
	SecretEngineTypeRedis         SecretEngineType = "redis"
)

type ServiceAlias

type ServiceAlias string

+kubebuilder:validation:Enum=internal;vault;stats

const (
	VaultServerServiceInternal ServiceAlias = "internal"
	VaultServerServiceVault    ServiceAlias = "vault"
	VaultServerServiceStats    ServiceAlias = "stats"
)

type SwiftSpec

type SwiftSpec struct {
	// Specifies the OpenStack authentication endpoint.
	AuthURL string `json:"authURL"`

	// Specifies the name of the Swift container.
	Container string `json:"container"`

	// Specifies the name of the secret containing the OpenStack account/username and password
	// Specifies secret containing auth token from alternate authentication.
	// secret data:
	//  - username=<value>
	//  - password=<value>
	//  - auth_token=<value>
	// +optional
	CredentialSecretRef *core.LocalObjectReference `json:"credentialSecretRef,omitempty"`

	// Specifies the name of the tenant. If left blank, this will default to the default tenant of the username.
	// +optional
	Tenant string `json:"tenant,omitempty"`

	// Specifies the name of the region.
	// +optional
	Region string `json:"region,omitempty"`

	// Specifies the id of the tenant.
	// +optional
	TenantID string `json:"tenantID,omitempty"`

	// Specifies the name of the user domain.
	// +optional
	Domain string `json:"domain,omitempty"`

	// Specifies the name of the project's domain.
	// +optional
	ProjectDomain string `json:"projectDomain,omitempty"`

	// Specifies the id of the trust.
	// +optional
	TrustID string `json:"trustID,omitempty"`

	// Specifies storage URL from alternate authentication.
	// +optional
	StorageURL string `json:"storageURL,omitempty"`

	//  Specifies the maximum number of concurrent requests to take place.
	// +optional
	MaxParallel int64 `json:"maxParallel,omitempty"`
}

vault doc: https://www.vaultproject.io/docs/configuration/storage/swift.html

SwiftSpec defines configuration to set up Swift Storage as backend storage in vault

func (*SwiftSpec) DeepCopy

func (in *SwiftSpec) DeepCopy() *SwiftSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SwiftSpec.

func (*SwiftSpec) DeepCopyInto

func (in *SwiftSpec) DeepCopyInto(out *SwiftSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TLSPolicy

type TLSPolicy struct {
	// TLSSecret is the secret containing TLS certs used by each vault node
	// for the communication between the vault server and its clients.
	// The secret should contain three files:
	// 	- tls.crt
	// 	- tls.key
	//
	// The server certificate must allow the following wildcard domains:
	// 	- localhost
	// 	- *.<namespace>.pod
	// 	- <vaultServer-name>.<namespace>.svc
	TLSSecret string `json:"tlsSecret"`

	// CABundle is a PEM encoded CA bundle which will be used to validate the serving certificate.
	// +optional
	CABundle []byte `json:"caBundle,omitempty"`
}

TLSPolicy defines the TLS policy of the vault nodes If this is not set, operator will auto-gen TLS assets and secrets.

func (*TLSPolicy) DeepCopy

func (in *TLSPolicy) DeepCopy() *TLSPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSPolicy.

func (*TLSPolicy) DeepCopyInto

func (in *TLSPolicy) DeepCopyInto(out *TLSPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TerminationPolicy

type TerminationPolicy string

+kubebuilder:validation:Enum=Halt;Delete;WipeOut;DoNotTerminate

const (
	// Deletes VaultServer pods, service but leave the PVCs and stash backup data intact.
	TerminationPolicyHalt TerminationPolicy = "Halt"
	// Deletes VaultServer pods, service, pvcs but leave the stash backup data intact.
	TerminationPolicyDelete TerminationPolicy = "Delete"
	// Deletes VaultServer pods, service, pvcs and stash backup data.
	TerminationPolicyWipeOut TerminationPolicy = "WipeOut"
	// Rejects attempt to delete VaultServer using ValidationWebhook.
	TerminationPolicyDoNotTerminate TerminationPolicy = "DoNotTerminate"
)

type UnsealerSpec

type UnsealerSpec struct {
	// Total count of secret shares that exist
	// +optional
	SecretShares int64 `json:"secretShares,omitempty"`

	// Minimum required secret shares to unseal
	// +optional
	SecretThreshold int64 `json:"secretThreshold,omitempty"`

	// How often to attempt to unseal the vault instance
	// +optional
	RetryPeriodSeconds time.Duration `json:"retryPeriodSeconds,omitempty"`

	// overwrite existing unseal keys and root tokens, possibly dangerous!
	// +optional
	OverwriteExisting bool `json:"overwriteExisting,omitempty"`

	// should the root token be stored in the key store (default true)
	// +optional
	StoreRootToken bool `json:"storeRootToken,omitempty"`

	// mode contains unseal mechanism
	// +optional
	Mode ModeSpec `json:"mode,omitempty"`
}

UnsealerSpec contain the configuration for auto vault initialize/unseal

func (*UnsealerSpec) DeepCopy

func (in *UnsealerSpec) DeepCopy() *UnsealerSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UnsealerSpec.

func (*UnsealerSpec) DeepCopyInto

func (in *UnsealerSpec) DeepCopyInto(out *UnsealerSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultCertificateAlias

type VaultCertificateAlias string

+kubebuilder:validation:Enum=ca;server;client;storage

const (
	VaultCACert      VaultCertificateAlias = "ca"
	VaultServerCert  VaultCertificateAlias = "server"
	VaultClientCert  VaultCertificateAlias = "client"
	VaultStorageCert VaultCertificateAlias = "storage"
)

type VaultServer

type VaultServer struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              VaultServerSpec   `json:"spec,omitempty"`
	Status            VaultServerStatus `json:"status,omitempty"`
}

+kubebuilder:object:root=true +kubebuilder:storageversion +kubebuilder:resource:path=vaultservers,singular=vaultserver,shortName=vs,categories={vault,appscode,all} +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Replicas",type="string",JSONPath=".spec.replicas" +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version" +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.phase" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"

func (VaultServer) AppBindingName

func (v VaultServer) AppBindingName() string

func (*VaultServer) BackupSecretName added in v0.11.0

func (vs *VaultServer) BackupSecretName() string

func (*VaultServer) CertificateMountPath

func (v *VaultServer) CertificateMountPath(alias VaultCertificateAlias) string

func (VaultServer) ConfigSecretName

func (v VaultServer) ConfigSecretName() string

func (VaultServer) CustomResourceDefinition

func (_ VaultServer) CustomResourceDefinition() *apiextensions.CustomResourceDefinition

func (*VaultServer) DeepCopy

func (in *VaultServer) DeepCopy() *VaultServer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServer.

func (*VaultServer) DeepCopyInto

func (in *VaultServer) DeepCopyInto(out *VaultServer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*VaultServer) DeepCopyObject

func (in *VaultServer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*VaultServer) DefaultCertSecretName

func (vs *VaultServer) DefaultCertSecretName(alias string) string

Returns the default certificate secret name for given alias.

func (*VaultServer) GetCertSecretName

func (vs *VaultServer) GetCertSecretName(alias string) string

Returns certificate secret name for given alias if exists, otherwise returns the default certificate secret name.

func (*VaultServer) GetCertificateCN

func (vs *VaultServer) GetCertificateCN(alias VaultCertificateAlias) string

func (VaultServer) GetKey

func (v VaultServer) GetKey() string

func (*VaultServer) GetServiceTemplate

func (vs *VaultServer) GetServiceTemplate(alias ServiceAlias) ofst.ServiceTemplateSpec

GetServiceTemplate returns a pointer to the desired serviceTemplate referred by "alias". Otherwise, it returns nil.

func (*VaultServer) Hub

func (*VaultServer) Hub()

func (VaultServer) IsValid

func (v VaultServer) IsValid() error

func (*VaultServer) KeyPrefix

func (vs *VaultServer) KeyPrefix() string

func (VaultServer) OffshootLabels

func (v VaultServer) OffshootLabels() map[string]string

func (VaultServer) OffshootName

func (v VaultServer) OffshootName() string

func (VaultServer) OffshootSelectors

func (v VaultServer) OffshootSelectors() map[string]string

func (VaultServer) PolicyNameForAuthMethod

func (v VaultServer) PolicyNameForAuthMethod(typ AuthMethodType, path string) string

func (VaultServer) PolicyNameForAuthMethodController

func (v VaultServer) PolicyNameForAuthMethodController() string

func (VaultServer) PolicyNameForPolicyController

func (v VaultServer) PolicyNameForPolicyController() string

func (*VaultServer) ReplicasAreReady

func (v *VaultServer) ReplicasAreReady(lister appslister.StatefulSetLister) (bool, string, error)

func (VaultServer) ResourceFQN

func (_ VaultServer) ResourceFQN() string

func (*VaultServer) RootTokenID

func (vs *VaultServer) RootTokenID() string

RootTokenID is the ID that used as key name when storing root token

func (*VaultServer) Scheme

func (vs *VaultServer) Scheme() string

func (VaultServer) ServiceAccountForTokenReviewer

func (v VaultServer) ServiceAccountForTokenReviewer() string

func (VaultServer) ServiceAccountName

func (v VaultServer) ServiceAccountName() string

func (VaultServer) ServiceName

func (v VaultServer) ServiceName(alias ServiceAlias) string

func (*VaultServer) SetHealthCheckerDefaults added in v0.9.0

func (vs *VaultServer) SetHealthCheckerDefaults()

func (VaultServer) StatsLabels

func (v VaultServer) StatsLabels() map[string]string

func (VaultServer) StatsService

func (v VaultServer) StatsService() mona.StatsAccessor

func (VaultServer) StatsServiceName

func (v VaultServer) StatsServiceName() string

func (VaultServer) TLSSecretName

func (v VaultServer) TLSSecretName() string

func (*VaultServer) UnsealKeyID

func (vs *VaultServer) UnsealKeyID(id int) string

UnsealKeyID is the ID that used as key name when storing unseal key

type VaultServerBackend

type VaultServerBackend string

+kubebuilder:validation:Enum=inmem;etcd;gcs;s3;azure;postgresql;mysql;file;dynamodb;swift;consul;raft

const (
	VaultServerInmem      VaultServerBackend = "inmem"
	VaultServerEtcd       VaultServerBackend = "etcd"
	VaultServerGcs        VaultServerBackend = "gcs"
	VaultServerS3         VaultServerBackend = "s3"
	VaultServerAzure      VaultServerBackend = "azure"
	VaultServerPostgreSQL VaultServerBackend = "postgresql"
	VaultServerMySQL      VaultServerBackend = "mysql"
	VaultServerFile       VaultServerBackend = "file"
	VaultServerDynamoDB   VaultServerBackend = "dynamodb"
	VaultServerSwift      VaultServerBackend = "swift"
	VaultServerConsul     VaultServerBackend = "consul"
	VaultServerRaft       VaultServerBackend = "raft"
)

type VaultServerList

type VaultServerList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultServer `json:"items,omitempty"`
}

func (*VaultServerList) DeepCopy

func (in *VaultServerList) DeepCopy() *VaultServerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServerList.

func (*VaultServerList) DeepCopyInto

func (in *VaultServerList) DeepCopyInto(out *VaultServerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*VaultServerList) DeepCopyObject

func (in *VaultServerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type VaultServerPhase

type VaultServerPhase string

+kubebuilder:validation:Enum=Initializing;Unsealing;Sealed;Ready;NotReady;Critical

const (
	// used for VaultServer that are Initializing
	VaultServerPhaseInitializing VaultServerPhase = "Initializing"
	// used for VaultServer that are Unsealing
	VaultServerPhaseUnsealing VaultServerPhase = "Unsealing"
	// used for VaultServer that are sealed
	VaultServerPhaseSealed VaultServerPhase = "Sealed"
	// used for VaultServer that are Ready
	VaultServerPhaseReady VaultServerPhase = "Ready"
	// used for VaultServer that are NotReady
	VaultServerPhaseNotReady VaultServerPhase = "NotReady"
	// used for VaultServer that are Critical
	VaultServerPhaseCritical VaultServerPhase = "Critical"
)

type VaultServerSpec

type VaultServerSpec struct {
	// Version of VaultServer to be deployed.
	Version string `json:"version"`

	// Number of instances to deploy for a VaultServer.
	Replicas *int32 `json:"replicas,omitempty"`

	// ConfigSecret is an optional field to provide extra configuration for vault.
	// This secret contain extra config for vault
	// File name should be 'vault.hcl'.
	// If specified, this file will be appended to the controller configuration file.
	// +optional
	ConfigSecret *core.LocalObjectReference `json:"configSecret,omitempty"`

	// DataSources is a list of Configmaps/Secrets in the same namespace as the VaultServer
	// object, which shall be mounted into the VaultServer Pods.
	// The data are mounted into /etc/vault/data/<name>.
	// The first data will be named as "data-0", second one will be named as "data-1" and so on.
	// +optional
	DataSources []core.VolumeSource `json:"dataSources,omitempty"`

	// TLS policy of vault nodes
	// +optional
	TLS *kmapi.TLSConfig `json:"tls,omitempty"`

	// backend storage configuration for vault
	Backend BackendStorageSpec `json:"backend"`

	// Unsealer configuration for vault
	// +optional
	Unsealer *UnsealerSpec `json:"unsealer,omitempty"`

	// Specifies the list of auth methods to enable
	// +optional
	AuthMethods []AuthMethod `json:"authMethods,omitempty"`

	// Monitor is used monitor database instance
	// +optional
	Monitor *mona.AgentSpec `json:"monitor,omitempty"`

	// PodTemplate is an optional configuration for pods used to run vault
	// +optional
	PodTemplate ofst.PodTemplateSpec `json:"podTemplate,omitempty"`

	// ServiceTemplates is an optional configuration for services used to expose database
	// +optional
	ServiceTemplates []NamedServiceTemplateSpec `json:"serviceTemplates,omitempty"`

	// Indicates that the vault server is halted and all offshoot Kubernetes resources except PVCs are deleted.
	// +optional
	Halted bool `json:"halted,omitempty"`

	// TerminationPolicy controls the delete operation for vault server
	// +optional
	TerminationPolicy TerminationPolicy `json:"terminationPolicy,omitempty"`

	// AllowedSecretEngines defines the types of Secret Engines that MAY be attached to a
	// Listener and the trusted namespaces where those Route resources MAY be
	// present.
	//
	// Although a client request may match multiple route rules, only one rule
	// may ultimately receive the request. Matching precedence MUST be
	// determined in order of the following criteria:
	//
	// * The most specific match as defined by the Route type.
	// * The oldest Route based on creation timestamp. For example, a Route with
	//   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
	//   a Route with a creation timestamp of "2020-09-08 01:02:04".
	// * If everything else is equivalent, the Route appearing first in
	//   alphabetical order (namespace/name) should be given precedence. For
	//   example, foo/bar is given precedence over foo/baz.
	//
	// All valid rules within a Route attached to this Listener should be
	// implemented. Invalid Route rules can be ignored (sometimes that will mean
	// the full Route). If a Route rule transitions from valid to invalid,
	// support for that Route rule should be dropped to ensure consistency. For
	// example, even if a filter specified by a Route rule is invalid, the rest
	// of the rules within that Route should still be supported.
	//
	// Support: Core
	// +kubebuilder:default={namespaces:{from: Same}}
	// +optional
	AllowedSecretEngines *AllowedSecretEngines `json:"allowedSecretEngines,omitempty"`

	// HealthChecker defines attributes of the health checker
	// +optional
	// +kubebuilder:default={periodSeconds: 10, timeoutSeconds: 10, failureThreshold: 1}
	HealthChecker kmapi.HealthCheckSpec `json:"healthChecker"`
}

func (*VaultServerSpec) DeepCopy

func (in *VaultServerSpec) DeepCopy() *VaultServerSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServerSpec.

func (*VaultServerSpec) DeepCopyInto

func (in *VaultServerSpec) DeepCopyInto(out *VaultServerSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultServerStatus

type VaultServerStatus struct {
	// ObservedGeneration is the most recent generation observed for this resource. It corresponds to the
	// resource's generation, which is updated on mutation by the API Server.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// Phase indicates the state this Vault server jumps in.
	// +optional
	Phase VaultServerPhase `json:"phase,omitempty"`

	// Initialized indicates if the Vault service is initialized.
	// +optional
	Initialized bool `json:"initialized,omitempty"`

	// ServiceName is the LB service for accessing vault nodes.
	// +optional
	ServiceName string `json:"serviceName,omitempty"`

	// ClientPort is the port for vault client to access.
	// It's the same on client LB service and vault nodes.
	// +optional
	ClientPort int64 `json:"clientPort,omitempty"`

	// VaultStatus is the set of Vault node specific statuses: Active, Standby, and Sealed
	// +optional
	VaultStatus VaultStatus `json:"vaultStatus,omitempty"`

	// PodNames of updated Vault nodes. Updated means the Vault container image version
	// matches the spec's version.
	// +optional
	UpdatedNodes []string `json:"updatedNodes,omitempty"`

	// Represents the latest available observations of a VaultServer current state.
	// +optional
	Conditions []kmapi.Condition `json:"conditions,omitempty"`

	// Status of the vault auth methods
	// +optional
	AuthMethodStatus []AuthMethodStatus `json:"authMethodStatus,omitempty"`
}

func (*VaultServerStatus) DeepCopy

func (in *VaultServerStatus) DeepCopy() *VaultServerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServerStatus.

func (*VaultServerStatus) DeepCopyInto

func (in *VaultServerStatus) DeepCopyInto(out *VaultServerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultStatus

type VaultStatus struct {
	// PodName of the active Vault node. Active node is unsealed.
	// Only active node can serve requests.
	// Vault service only points to the active node.
	// +optional
	Active string `json:"active,omitempty"`

	// PodNames of the standby Vault nodes. Standby nodes are unsealed.
	// Standby nodes do not process requests, and instead redirect to the active Vault.
	// +optional
	Standby []string `json:"standby,omitempty"`

	// PodNames of Sealed Vault nodes. Sealed nodes MUST be unsealed to
	// become standby or leader.
	// +optional
	Sealed []string `json:"sealed,omitempty"`

	// PodNames of Unsealed Vault nodes.
	// +optional
	Unsealed []string `json:"unsealed,omitempty"`
}

func (*VaultStatus) DeepCopy

func (in *VaultStatus) DeepCopy() *VaultStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultStatus.

func (*VaultStatus) DeepCopyInto

func (in *VaultStatus) DeepCopyInto(out *VaultStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL