API Reference
Packages
secrets.hashicorp.com/v1beta1
Package v1beta1 contains API Schema definitions for the secrets v1beta1 API group
Resource Types
- HCPAuth
- HCPAuthList
- HCPVaultSecretsApp
- HCPVaultSecretsAppList
- VaultAuth
- VaultAuthList
- VaultConnection
- VaultConnectionList
- VaultDynamicSecret
- VaultDynamicSecretList
- VaultPKISecret
- VaultPKISecretList
- VaultStaticSecret
- VaultStaticSecretList
Destination
Destination provides the configuration that will be applied to the destination Kubernetes Secret during a Vault Secret -> K8s Secret sync.
Appears in:
| Field | Description |
|---|---|
name string | Name of the Secret |
create boolean | Create the destination Secret. If the Secret already exists this should be set to false. |
labels object (keys:string, values:string) | Labels to apply to the Secret. Requires Create to be set to true. |
annotations object (keys:string, values:string) | Annotations to apply to the Secret. Requires Create to be set to true. |
type SecretType | Type of Kubernetes Secret. Requires Create to be set to true. Defaults to Opaque. |
HCPAuth
HCPAuth is the Schema for the hcpauths API
Appears in:
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | HCPAuth |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. |
spec HCPAuthSpec |
HCPAuthList
HCPAuthList contains a list of HCPAuth
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | HCPAuthList |
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. |
items HCPAuth array |
HCPAuthServicePrincipal
HCPAuthServicePrincipal provides HCPAuth configuration options needed for authenticating to HCP using a service principal configured in SecretRef.
Appears in:
| Field | Description |
|---|---|
secretRef string | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI/HCP) namespace which provides the HCP ServicePrincipal clientID, and clientSecret. The secret data must have the following structure { "clientID": "clientID", "clientSecret": "clientSecret", } |
HCPAuthSpec
HCPAuthSpec defines the desired state of HCPAuth
Appears in:
| Field | Description |
|---|---|
organizationID string | OrganizationID of the HCP organization. |
projectID string | ProjectID of the HCP project. |
allowedNamespaces string array | AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod. This field allows administrators to customize which Kubernetes namespaces are authorized to use with this AuthMethod. While Vault will still enforce its own rules, this has the added configurability of restricting which HCPAuthMethods can be used by which namespaces. Accepted values: []{"*"} - wildcard, all namespaces. []{"a", "b"} - list of namespaces. unset - disallow all namespaces except the Operator's the HCPAuthMethod's namespace, this is the default behavior. |
method string | Method to use when authenticating to Vault. |
servicePrincipal HCPAuthServicePrincipal | ServicePrincipal provides the necessary configuration for authenticating to HCP using a service principal. For security reasons, only project-level service principals should ever be used. |
HCPVaultSecretsApp
HCPVaultSecretsApp is the Schema for the hcpvaultsecretsapps API
Appears in:
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | HCPVaultSecretsApp |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. |
spec HCPVaultSecretsAppSpec |
HCPVaultSecretsAppList
HCPVaultSecretsAppList contains a list of HCPVaultSecretsApp
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | HCPVaultSecretsAppList |
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. |
items HCPVaultSecretsApp array |
HCPVaultSecretsAppSpec
HCPVaultSecretsAppSpec defines the desired state of HCPVaultSecretsApp
Appears in:
| Field | Description |
|---|---|
appName string | AppName of the Vault Secrets Application that is to be synced. |
hcpAuthRef string | HCPAuthRef to the HCPAuth resource, can be prefixed with a namespace, eg: namespaceA/vaultAuthRefB. If no namespace prefix is provided it will default to the namespace of the HCPAuth CR. If no value is specified for HCPAuthRef the Operator will default to the default HCPAuth, configured in its own Kubernetes namespace. HCPAuthRef string json:"hcpAuthRef,omitempty" |
refreshAfter string | RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h |
rolloutRestartTargets RolloutRestartTarget array | RolloutRestartTargets should be configured whenever the application(s) consuming the HCP Vault Secrets App does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. See RolloutRestartTarget for more details. |
destination Destination | Destination provides configuration necessary for syncing the HCP Vault Application secrets to Kubernetes. |
RolloutRestartTarget
RolloutRestartTarget provides the configuration required to perform a rollout-restart of the supported resources upon Vault Secret rotation. The rollout-restart is triggered by patching the target resource's 'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt' with a timestamp value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z" Supported resources: Deployment, DaemonSet, StatefulSet
Appears in:
| Field | Description |
|---|---|
kind string | |
name string |
StorageEncryption
StorageEncryption provides the necessary configuration need to encrypt the storage cache entries using Vault's Transit engine. It only supports Kubernetes Auth for now.
Appears in:
| Field | Description |
|---|---|
mount string | Mount path of the Transit engine in Vault. |
keyName string | KeyName to use for encrypt/decrypt operations via Vault Transit. |
VaultAuth
VaultAuth is the Schema for the vaultauths API
Appears in:
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | VaultAuth |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. |
spec VaultAuthSpec |
VaultAuthConfigAWS
VaultAuthConfigAWS provides VaultAuth configuration options needed for authenticating to Vault via an AWS AuthMethod. Will use creds from SecretRef or IRSAServiceAccount if provided, in that order. If neither are provided, the underlying node role or instance profile will be used to authenticate to Vault.
Appears in:
| Field | Description |
|---|---|
role string | Vault role to use for authenticating |
region string | AWS Region to use for signing the authentication request |
headerValue string | The Vault header value to include in the STS signing request |
sessionName string | The role session name to use when creating a webidentity provider |
stsEndpoint string | The STS endpoint to use; if not set will use the default |
iamEndpoint string | The IAM endpoint to use; if not set will use the default |
secretRef string | SecretRef is the name of a Kubernetes Secret which holds credentials for AWS. Expected keys include access_key_id, secret_access_key, session_token |
irsaServiceAccount string | IRSAServiceAccount name to use with IAM Roles for Service Accounts (IRSA), and should be annotated with "eks.amazonaws.com/role-arn". This ServiceAccount will be checked for other EKS annotations: eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration |
VaultAuthConfigAppRole
VaultAuthConfigAppRole provides VaultAuth configuration options needed for authenticating to Vault via an AppRole AuthMethod.
Appears in:
| Field | Description |
|---|---|
roleId string | RoleID of the AppRole Role to use for authenticating to Vault. |
secretRef string | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the AppRole Role's SecretID. The secret must have a key named id which holds the AppRole Role's secretID. |
VaultAuthConfigJWT
VaultAuthConfigJWT provides VaultAuth configuration options needed for authenticating to Vault.
Appears in:
| Field | Description |
|---|---|
role string | Role to use for authenticating to Vault. |
secretRef string | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must have a key named jwt which holds the JWT token. |
serviceAccount string | ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's JWT authentication backend. |
audiences string array | TokenAudiences to include in the ServiceAccount token. |
tokenExpirationSeconds integer | TokenExpirationSeconds to set the ServiceAccount token. |
VaultAuthConfigKubernetes
VaultAuthConfigKubernetes provides VaultAuth configuration options needed for authenticating to Vault.
Appears in:
| Field | Description |
|---|---|
role string | Role to use for authenticating to Vault. |
serviceAccount string | ServiceAccount to use when authenticating to Vault's kubernetes authentication backend. |
audiences string array | TokenAudiences to include in the ServiceAccount token. |
tokenExpirationSeconds integer | TokenExpirationSeconds to set the ServiceAccount token. |
VaultAuthList
VaultAuthList contains a list of VaultAuth
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | VaultAuthList |
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. |
items VaultAuth array |
VaultAuthSpec
VaultAuthSpec defines the desired state of VaultAuth
Appears in:
| Field | Description |
|---|---|
vaultConnectionRef string | VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace, eg: namespaceA/vaultConnectionRefB. If no namespace prefix is provided it will default to namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the Operator will default to default VaultConnection, configured in its own Kubernetes namespace. |
namespace string | Namespace to auth to in Vault |
allowedNamespaces string array | AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod. This field allows administrators to customize which Kubernetes namespaces are authorized to use with this AuthMethod. While Vault will still enforce its own rules, this has the added configurability of restricting which VaultAuthMethods can be used by which namespaces. Accepted values: []{"*"} - wildcard, all namespaces. []{"a", "b"} - list of namespaces. unset - disallow all namespaces except the Operator's the VaultAuthMethod's namespace, this is the default behavior. |
method string | Method to use when authenticating to Vault. |
mount string | Mount to use when authenticating to auth method. |
params object (keys:string, values:string) | Params to use when authenticating to Vault |
headers object (keys:string, values:string) | Headers to be included in all Vault requests. |
kubernetes VaultAuthConfigKubernetes | Kubernetes specific auth configuration, requires that the Method be set to kubernetes. |
appRole VaultAuthConfigAppRole | AppRole specific auth configuration, requires that the Method be set to appRole. |
jwt VaultAuthConfigJWT | JWT specific auth configuration, requires that the Method be set to jwt. |
aws VaultAuthConfigAWS | AWS specific auth configuration, requires that Method be set to aws. |
storageEncryption StorageEncryption | StorageEncryption provides the necessary configuration to encrypt the client storage cache. This should only be configured when client cache persistence with encryption is enabled. This is done by passing setting the manager's commandline argument --client-cache-persistence-model=direct-encrypted. Typically, there should only ever be one VaultAuth configured with StorageEncryption in the Cluster, and it should have the label: cacheStorageEncryption=true |
VaultConnection
VaultConnection is the Schema for the vaultconnections API
Appears in:
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | VaultConnection |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. |
spec VaultConnectionSpec |
VaultConnectionList
VaultConnectionList contains a list of VaultConnection
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | VaultConnectionList |
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. |
items VaultConnection array |
VaultConnectionSpec
VaultConnectionSpec defines the desired state of VaultConnection
Appears in:
| Field | Description |
|---|---|
address string | Address of the Vault server |
headers object (keys:string, values:string) | Headers to be included in all Vault requests. |
tlsServerName string | TLSServerName to use as the SNI host for TLS connections. |
caCertSecretRef string | CACertSecretRef is the name of a Kubernetes secret containing the trusted PEM encoded CA certificate chain as ca.crt. |
skipTLSVerify boolean | SkipTLSVerify for TLS connections. |
VaultDynamicSecret
VaultDynamicSecret is the Schema for the vaultdynamicsecrets API
Appears in:
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | VaultDynamicSecret |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. |
spec VaultDynamicSecretSpec |
VaultDynamicSecretList
VaultDynamicSecretList contains a list of VaultDynamicSecret
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | VaultDynamicSecretList |
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. |
items VaultDynamicSecret array |
VaultDynamicSecretSpec
VaultDynamicSecretSpec defines the desired state of VaultDynamicSecret
Appears in:
| Field | Description |
|---|---|
vaultAuthRef string | VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: namespaceA/vaultAuthRefB. If no namespace prefix is provided it will default to namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the default VaultAuth, configured in its own Kubernetes namespace. |
namespace string | Namespace where the secrets engine is mounted in Vault. |
mount string | Mount path of the secret's engine in Vault. |
requestHTTPMethod string | RequestHTTPMethod to use when syncing Secrets from Vault. Setting a value here is not typically required. If left unset the Operator will make requests using the GET method. In the case where Params are specified the Operator will use the PUT method. Please consult secrets if you are uncertain about what method to use. Of note, the Vault client treats PUT and POST as being equivalent. The underlying Vault client implementation will always use the PUT method. |
path string | Path in Vault to get the credentials for, and is relative to Mount. Please consult secrets if you are uncertain about what 'path' should be set to. |
params object (keys:string, values:string) | Params that can be passed when requesting credentials/secrets. When Params is set the configured RequestHTTPMethod will be ignored. See RequestHTTPMethod for more details. Please consult secrets if you are uncertain about what 'params' should/can be set to. |
renewalPercent integer | RenewalPercent is the percent out of 100 of the lease duration when the lease is renewed. Defaults to 67 percent plus jitter. |
revoke boolean | Revoke the existing lease on VDS resource deletion. |
allowStaticCreds boolean | AllowStaticCreds should be set when syncing credentials that are periodically rotated by the Vault server, rather than created upon request. These secrets are sometimes referred to as "static roles", or "static credentials", with a request path that contains "static-creds". |
rolloutRestartTargets RolloutRestartTarget array | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. See RolloutRestartTarget for more details. |
destination Destination | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. |
VaultPKISecret
VaultPKISecret is the Schema for the vaultpkisecrets API
Appears in:
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | VaultPKISecret |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. |
spec VaultPKISecretSpec |
VaultPKISecretList
VaultPKISecretList contains a list of VaultPKISecret
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | VaultPKISecretList |
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. |
items VaultPKISecret array |
VaultPKISecretSpec
VaultPKISecretSpec defines the desired state of VaultPKISecret
Appears in:
| Field | Description |
|---|---|
vaultAuthRef string | VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: namespaceA/vaultAuthRefB. If no namespace prefix is provided it will default to namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the default VaultAuth, configured in its own Kubernetes namespace. |
namespace string | Namespace to get the secret from in Vault |
mount string | Mount for the secret in Vault |
role string | Role in Vault to use when issuing TLS certificates. |
revoke boolean | Revoke the certificate when the resource is deleted. |
clear boolean | Clear the Kubernetes secret when the resource is deleted. |
expiryOffset string | ExpiryOffset to use for computing when the certificate should be renewed. The rotation time will be difference between the expiration and the offset. Should be in duration notation e.g. 30s, 120s, etc. Set to empty string "" to prevent certificate rotation. |
issuerRef string | IssuerRef reference to an existing PKI issuer, either by Vault-generated identifier, the literal string default to refer to the currently configured default issuer, or the name assigned to an issuer. This parameter is part of the request URL. |
rolloutRestartTargets RolloutRestartTarget array | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. See RolloutRestartTarget for more details. |
destination Destination | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. If the type is set to "kubernetes.io/tls", "tls.key" will be set to the "private_key" response from Vault, and "tls.crt" will be set to "certificate" + "ca_chain" from the Vault response ("issuing_ca" is used when "ca_chain" is empty). The "remove_roots_from_chain=true" option is used with Vault to exclude the root CA from the Vault response. |
commonName string | CommonName to include in the request. |
altNames string array | AltNames to include in the request May contain both DNS names and email addresses. |
ipSans string array | IPSans to include in the request. |
uriSans string array | The requested URI SANs. |
otherSans string array | Requested other SANs, in an array with the format oid;type:value for each entry. |
ttl string | TTL for the certificate; sets the expiration date. If not specified the Vault role's default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount's max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA. Should be in duration notation e.g. 120s, 2h, etc. |
format string | Format for the certificate. Choices: "pem", "der", "pem_bundle". If "pem_bundle", any private key and issuing cert will be appended to the certificate pem. If "der", the value will be base64 encoded. Default: pem |
privateKeyFormat string | PrivateKeyFormat, generally the default will be controlled by the Format parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Default: der |
notAfter string | NotAfter field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ |
excludeCNFromSans boolean | ExcludeCNFromSans from DNS or Email Subject Alternate Names. Default: false |
VaultSecretLease
Appears in:
| Field | Description |
|---|---|
id string | ID of the Vault secret. |
duration integer | LeaseDuration of the Vault secret. |
renewable boolean | Renewable Vault secret lease |
requestID string | RequestID of the Vault secret request. |
VaultStaticCredsMetaData
Appears in:
| Field | Description |
|---|---|
lastVaultRotation integer | LastVaultRotation represents the last time Vault rotated the password |
rotationPeriod integer | RotationPeriod is number in seconds between each rotation, effectively a "time to live". This value is compared to the LastVaultRotation to determine if a password needs to be rotated |
rotationSchedule string | RotationSchedule is a "cron style" string representing the allowed schedule for each rotation. e.g. "1 0 * * *" would rotate at one minute past midnight (00:01) every day. |
ttl integer | TTL is the seconds remaining before the next rotation. |
VaultStaticSecret
VaultStaticSecret is the Schema for the vaultstaticsecrets API
Appears in:
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | VaultStaticSecret |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. |
spec VaultStaticSecretSpec |
VaultStaticSecretList
VaultStaticSecretList contains a list of VaultStaticSecret
| Field | Description |
|---|---|
apiVersion string | secrets.hashicorp.com/v1beta1 |
kind string | VaultStaticSecretList |
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. |
items VaultStaticSecret array |
VaultStaticSecretSpec
VaultStaticSecretSpec defines the desired state of VaultStaticSecret
Appears in:
| Field | Description |
|---|---|
vaultAuthRef string | VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, eg: namespaceA/vaultAuthRefB. If no namespace prefix is provided it will default to namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will default to the default VaultAuth, configured in its own Kubernetes namespace. |
namespace string | Namespace to get the secret from in Vault |
mount string | Mount for the secret in Vault |
path string | Path of the secret in Vault, corresponds to the path parameter for, kv-v1 kv-v2 |
version integer | Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter: version |
type string | Type of the Vault static secret |
refreshAfter string | RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h |
hmacSecretData boolean | HMACSecretData determines whether the Operator computes the HMAC of the Secret's data. The MAC value will be stored in the resource's Status.SecretMac field, and will be used for drift detection and during incoming Vault secret comparison. Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault. |
rolloutRestartTargets RolloutRestartTarget array | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. All configured targets wil be ignored if HMACSecretData is set to false. See RolloutRestartTarget for more details. |
destination Destination | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. |