Documentation
¶
Overview ¶
+groupName=kubevault.com
Index ¶
- Constants
- Variables
- func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition
- func Resource(resource string) schema.GroupResource
- type AuthConfig
- type AuthMethod
- type AuthMethodEnableDisableStatus
- type AuthMethodStatus
- type AuthMethodType
- type AwsKmsSsmSpec
- type AzureKeyVault
- type AzureSpec
- type BackendStorageSpec
- type ClusterPhase
- type ConsulSpec
- type DynamoDBSpec
- type EtcdSpec
- type FileSpec
- type GcsSpec
- type GoogleKmsGcsSpec
- type InmemSpec
- type KubernetesSecretSpec
- type ModeSpec
- type MySQLSpec
- type PostgreSQLSpec
- type S3Spec
- type SwiftSpec
- type TLSPolicy
- type UnsealerSpec
- type VaultServer
- func (v VaultServer) AppBindingName() string
- func (v VaultServer) ConfigMapName() string
- func (v VaultServer) CustomResourceDefinition() *apiextensions.CustomResourceDefinition
- func (in *VaultServer) DeepCopy() *VaultServer
- func (in *VaultServer) DeepCopyInto(out *VaultServer)
- func (in *VaultServer) DeepCopyObject() runtime.Object
- func (v VaultServer) GetKey() string
- func (v VaultServer) IsValid() error
- func (v VaultServer) OffshootLabels() map[string]string
- func (v VaultServer) OffshootName() string
- func (v VaultServer) OffshootSelectors() map[string]string
- func (v VaultServer) PolicyNameForAuthMethodController() string
- func (v VaultServer) PolicyNameForPolicyController() string
- func (v VaultServer) ServiceAccountForTokenReviewer() string
- func (v VaultServer) ServiceAccountName() string
- func (v VaultServer) StatsLabels() map[string]string
- func (v VaultServer) StatsService() mona.StatsAccessor
- func (v VaultServer) StatsServiceName() string
- func (v VaultServer) TLSSecretName() string
- type VaultServerCondition
- type VaultServerConditionType
- type VaultServerList
- type VaultServerSpec
- type VaultServerStatus
- type VaultStatus
Constants ¶
const ( ResourceKindVaultServer = "VaultServer" ResourceVaultServer = "vaultserver" ResourceVaultServers = "vaultservers" )
Variables ¶
var ( // TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api. // localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes. SchemeBuilder runtime.SchemeBuilder AddToScheme = localSchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: kubevault.GroupName, Version: "v1alpha1"}
Functions ¶
func GetOpenAPIDefinitions ¶
func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type AuthConfig ¶
type AuthConfig struct {
// The default lease duration, specified as a string duration like "5s" or "30m".
// +optional
DefaultLeaseTTL string `json:"defaultLeaseTTL,omitempty"`
// The maximum lease duration, specified as a string duration like "5s" or "30m".
// +optional
MaxLeaseTTL string `json:"maxLeaseTTL,omitempty"`
// The name of the plugin in the plugin catalog to use.
// +optional
PluginName string `json:"pluginName,omitempty"`
// List of keys that will not be HMAC'd by audit devices in the request data object.
// +optional
AuditNonHMACRequestKeys []string `json:"auditNonHMACRequestKeys,omitempty"`
// List of keys that will not be HMAC'd by audit devices in the response data object.
// +optional
AuditNonHMACResponseKeys []string `json:"auditNonHMACResponseKeys,omitempty"`
// Speficies whether to show this mount in the UI-specific listing endpoint.
// +optional
ListingVisibility string `json:"listingVisibility,omitempty"`
// List of headers to whitelist and pass from the request to the backend.
// +optional
PassthroughRequestHeaders []string `json:"passthroughRequestHeaders,omitempty"`
}
func (*AuthConfig) DeepCopy ¶
func (in *AuthConfig) DeepCopy() *AuthConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthConfig.
func (*AuthConfig) DeepCopyInto ¶
func (in *AuthConfig) DeepCopyInto(out *AuthConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthMethod ¶
type AuthMethod struct {
// Specifies the name of the authentication method type, such as "github" or "token".
Type string `json:"type"`
// Specifies the path in which to enable the auth method.
// Default value is the same as the 'type'
Path string `json:"path"`
// Specifies a human-friendly description of the auth method.
// +optional
Description string `json:"description,omitempty"`
// Specifies configuration options for this auth method.
// +optional
Config *AuthConfig `json:"config,omitempty"`
// Specifies the name of the auth plugin to use based from the name in the plugin catalog.
// Applies only to plugin methods.
// +optional
PluginName string `json:"pluginName,omitempty"`
// Specifies if the auth method is a local only. Local auth methods are not replicated nor (if a secondary) removed by replication.
// +optional
Local bool `json:"local,omitempty"`
}
AuthMethod contains the information to enable vault auth method links: https://www.vaultproject.io/api/system/auth.html
func (*AuthMethod) DeepCopy ¶
func (in *AuthMethod) DeepCopy() *AuthMethod
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthMethod.
func (*AuthMethod) DeepCopyInto ¶
func (in *AuthMethod) DeepCopyInto(out *AuthMethod)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthMethodEnableDisableStatus ¶
type AuthMethodEnableDisableStatus string
const ( AuthMethodEnableSucceeded AuthMethodEnableDisableStatus = "EnableSucceeded" AuthMethodEnableFailed AuthMethodEnableDisableStatus = "EnableFailed" AuthMethodDisableSucceeded AuthMethodEnableDisableStatus = "DisableSucceeded" AuthMethodDisableFailed AuthMethodEnableDisableStatus = "DisableFailed" )
type AuthMethodStatus ¶
type AuthMethodStatus struct {
// Specifies the name of the authentication method type, such as "github" or "token".
Type string `json:"type"`
// Specifies the path in which to enable the auth method.
Path string `json:"path"`
// Specifies whether auth method is enabled or not
Status AuthMethodEnableDisableStatus `json:"status"`
// Specifies the reason why failed to enable auth method
// +optional
Reason string `json:"reason,omitempty"`
}
AuthMethodStatus specifies the status of the auth method maintained by the auth method controller
func (*AuthMethodStatus) DeepCopy ¶
func (in *AuthMethodStatus) DeepCopy() *AuthMethodStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthMethodStatus.
func (*AuthMethodStatus) DeepCopyInto ¶
func (in *AuthMethodStatus) DeepCopyInto(out *AuthMethodStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthMethodType ¶
type AuthMethodType string
const ( AuthTypeKubernetes AuthMethodType = "kubernetes" AuthTypeAws AuthMethodType = "aws" AuthTypeGcp AuthMethodType = "gcp" AuthTypeUserPass AuthMethodType = "userpass" AuthTypeCert AuthMethodType = "cert" AuthTypeAzure AuthMethodType = "azure" )
type AwsKmsSsmSpec ¶
type AwsKmsSsmSpec struct {
// The ID or ARN of the AWS KMS key to encrypt values
KmsKeyID string `json:"kmsKeyID"`
// +optional
Region string `json:"region,omitempty"`
// Specifies the secret name containing AWS access key and AWS secret key
// secret data:
// - access_key:<value>
// - secret_key:<value>
// +optional
CredentialSecret string `json:"credentialSecret,omitempty"`
}
AwsKmsSsmSpec contain the fields that required to unseal vault using aws kms ssm
func (*AwsKmsSsmSpec) DeepCopy ¶
func (in *AwsKmsSsmSpec) DeepCopy() *AwsKmsSsmSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsKmsSsmSpec.
func (*AwsKmsSsmSpec) DeepCopyInto ¶
func (in *AwsKmsSsmSpec) DeepCopyInto(out *AwsKmsSsmSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AzureKeyVault ¶
type AzureKeyVault struct {
// Azure key vault url, for example https://myvault.vault.azure.net
VaultBaseUrl string `json:"vaultBaseUrl"`
// The cloud environment identifier
// default: "AZUREPUBLICCLOUD"
// +optional
Cloud string `json:"cloud,omitempty"`
// The AAD Tenant ID
TenantID string `json:"tenantID"`
// Specifies the name of secret containing client cert and client cert password
// secret data:
// - client-cert:<value>
// - client-cert-password: <value>
// +optional
ClientCertSecret string `json:"clientCertSecret,omitempty"`
// Specifies the name of secret containing client id and client secret of AAD application
// secret data:
// - client-id:<value>
// - client-secret:<value>
// +optional
AADClientSecret string `json:"aadClientSecret,omitempty"`
// Use managed service identity for the virtual machine
// +optional
UseManagedIdentity bool `json:"useManagedIdentity,omitempty"`
}
AzureKeyVault contain the fields that required to unseal vault using azure key vault
func (*AzureKeyVault) DeepCopy ¶
func (in *AzureKeyVault) DeepCopy() *AzureKeyVault
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKeyVault.
func (*AzureKeyVault) DeepCopyInto ¶
func (in *AzureKeyVault) DeepCopyInto(out *AzureKeyVault)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AzureSpec ¶
type AzureSpec struct {
// Specifies the Azure Storage account name.
AccountName string `json:"accountName"`
// Specifies the secret containing Azure Storage account key.
// secret data:
// - account_key:<value>
AccountKeySecret string `json:"accountKeySecret"`
// Specifies the Azure Storage Blob container name.
Container string `json:"container"`
// Specifies the maximum number of concurrent operations to take place.
// +optional
MaxParallel int `json:"maxParallel,omitempty"`
}
vault doc: https://www.vaultproject.io/docs/configuration/storage/azure.html
AzureSpec defines configuration to set up Google Cloud Storage as backend storage in vault
func (*AzureSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureSpec.
func (*AzureSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type BackendStorageSpec ¶
type BackendStorageSpec struct {
// ref: https://www.vaultproject.io/docs/configuration/storage/in-memory.html
// +optional
Inmem *InmemSpec `json:"inmem,omitempty"`
// +optional
Etcd *EtcdSpec `json:"etcd,omitempty"`
// +optional
Gcs *GcsSpec `json:"gcs,omitempty"`
// +optional
S3 *S3Spec `json:"s3,omitempty"`
// +optional
Azure *AzureSpec `json:"azure,omitempty"`
// +optional
PostgreSQL *PostgreSQLSpec `json:"postgreSQL,omitempty"`
// +optional
MySQL *MySQLSpec `json:"mySQL,omitempty"`
// +optional
File *FileSpec `json:"file,omitempty"`
// +optional
DynamoDB *DynamoDBSpec `json:"dynamoDB,omitempty"`
// +optional
Swift *SwiftSpec `json:"swift,omitempty"`
// +optional
Consul *ConsulSpec `json:"consul,omitempty"`
}
TODO : set defaults and validation BackendStorageSpec defines storage backend configuration of vault
func (*BackendStorageSpec) DeepCopy ¶
func (in *BackendStorageSpec) DeepCopy() *BackendStorageSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendStorageSpec.
func (*BackendStorageSpec) DeepCopyInto ¶
func (in *BackendStorageSpec) DeepCopyInto(out *BackendStorageSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ClusterPhase ¶
type ClusterPhase string
const ( ClusterPhaseProcessing ClusterPhase = "Processing" ClusterPhaseUnInitialized ClusterPhase = "Uninitialized" ClusterPhaseRunning ClusterPhase = "Running" ClusterPhaseSealed ClusterPhase = "Sealed" )
type ConsulSpec ¶
type ConsulSpec struct {
// Specifies the address of the Consul agent to communicate with.
// This can be an IP address, DNS record, or unix socket.
// +optional
Address string `json:"address,omitempty"`
// Specifies the check interval used to send health check information
// back to Consul.
// This is specified using a label suffix like "30s" or "1h".
// +optional
CheckTimeout string `json:"checkTimeout,omitempty"`
// Specifies the Consul consistency mode.
// Possible values are "default" or "strong".
// +optional
ConsistencyMode string `json:"consistencyMode,omitempty"`
// Specifies whether Vault should register itself with Consul.
// Possible values are "true" or "false"
// +optional
DisableRegistration string `json:"disableRegistration,omitempty"`
// Specifies the maximum number of concurrent requests to Consul.
// +optional
MaxParallel string `json:"maxParallel,omitempty"`
// Specifies the path in Consul's key-value store
// where Vault data will be stored.
// +optional
Path string `json:"path,omitempty"`
// Specifies the scheme to use when communicating with Consul.
// This can be set to "http" or "https".
// +optional
Scheme string `json:"scheme,omitempty"`
// Specifies the name of the service to register in Consul.
// +optional
Service string `json:"service,omitempty"`
// Specifies a comma-separated list of tags
// to attach to the service registration in Consul.
// +optional
ServiceTags string `json:"serviceTags,omitempty"`
// Specifies a service-specific address to set on the service registration
// in Consul.
// If unset, Vault will use what it knows to be the HA redirect address
// - which is usually desirable.
// Setting this parameter to "" will tell Consul to leverage the configuration
// of the node the service is registered on dynamically.
// +optional
ServiceAddress string `json:"serviceAddress,omitempty"`
// Specifies the secret name that contains ACL token with permission
// to read and write from the path in Consul's key-value store.
// secret data:
// - aclToken:<value>
// +optional
ACLTokenSecretName string `json:"aclTokenSecretName,omitempty"`
// Specifies the minimum allowed session TTL.
// Consul server has a lower limit of 10s on the session TTL by default.
// +optional
SessionTTL string `json:"sessionTTL,omitempty"`
// Specifies the wait time before a lock lock acquisition is made.
// This affects the minimum time it takes to cancel a lock acquisition.
// +optional
LockWaitTime string `json:"lockWaitTime,omitempty"`
// Specifies the secret name that contains tls_ca_file, tls_cert_file and tls_key_file
// for consul communication
// Secret data:
// - ca.crt
// - client.crt
// - client.key
// +optional
TLSSecretName string `json:"tlsSecretName,omitempty"`
// Specifies the minimum TLS version to use.
// Accepted values are "tls10", "tls11" or "tls12".
// +optional
TLSMinVersion string `json:"tlsMinVersion,omitempty"`
// Specifies if the TLS host verification should be disabled.
// It is highly discouraged that you disable this option.
// +optional
TLSSkipVerify bool `json:"tlsSkipVerify,omitempty"`
}
ref: https://www.vaultproject.io/docs/configuration/storage/consul.html
ConsulSpec defines the configuration to set up consul as backend storage in vault
func (*ConsulSpec) DeepCopy ¶
func (in *ConsulSpec) DeepCopy() *ConsulSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConsulSpec.
func (*ConsulSpec) DeepCopyInto ¶
func (in *ConsulSpec) DeepCopyInto(out *ConsulSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type DynamoDBSpec ¶
type DynamoDBSpec struct {
// Specifies an alternative, AWS compatible, DynamoDB endpoint.
// +optional
EndPoint string `json:"endPoint,omitempty"`
// Specifies the AWS region
// +optional
Region string `json:"region,omitempty"`
// Specifies whether this backend should be used to run Vault in high availability mode.
// +optional
HaEnabled bool `json:"haEnabled,omitempty"`
// Specifies the maximum number of reads consumed per second on the table
// +optional
ReadCapacity int `json:"readCapacity,omiempty"`
// Specifies the maximum number of writes performed per second on the table.
// +optional
WriteCapacity int `json:"writeCapacity,omitempty"`
// Specifies the name of the DynamoDB table in which to store Vault data.
// If the specified table does not yet exist, it will be created during initialization.
// default: vault-dynamodb-backend
// +optional
Table string `json:"table,omitempty"`
// Specifies the secret name containing AWS access key and AWS secret key
// secret data:
// - access_key=<value>
// - secret_key=<value>
// +optional
CredentialSecret string `json:"credentialSecret,omitempty"`
// Specifies the secret name containing AWS session token
// secret data:
// - session_token:<value>
// +optional
SessionTokenSecret string `json:"sessionTokenSecret,omitempty"`
// Specifies the maximum number of parallel operations to take place.
// +optional
MaxParallel int `json:"maxParallel,omitempty"`
}
vault doc: https://www.vaultproject.io/docs/configuration/storage/dynamodb.html
DynamoDBSpec defines configuration to set up DynamoDB Storage as backend storage in vault
func (*DynamoDBSpec) DeepCopy ¶
func (in *DynamoDBSpec) DeepCopy() *DynamoDBSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamoDBSpec.
func (*DynamoDBSpec) DeepCopyInto ¶
func (in *DynamoDBSpec) DeepCopyInto(out *DynamoDBSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EtcdSpec ¶
type EtcdSpec struct {
// Specifies the addresses of the etcd instances
Address string `json:"address"`
// Specifies the version of the API to communicate with etcd
// +optional
EtcdApi string `json:"etcdApi,omitempty"`
// Specifies if high availability should be enabled
// +optional
HAEnable bool `json:"haEnable,omitempty"`
// Specifies the path in etcd where vault data will be stored
// +optional
Path string `json:"path,omitempty"`
// Specifies whether to sync list of available etcd services on startup
// +optional
Sync bool `json:"sync,omitempty"`
// Specifies the domain name to query for SRV records describing cluster endpoints
// +optional
DiscoverySrv string `json:"discoverySrv,omitempty"`
// Specifies the secret name that contain username and password to use when authenticating with the etcd server
// secret data:
// - username:<value>
// - password:<value>
// +optional
CredentialSecretName string `json:"credentialSecretName,omitempty"`
// Specifies the secret name that contains tls_ca_file, tls_cert_file and tls_key_file for etcd communication
// secret data:
// - ca.crt
// - client.crt
// - client.key
// +optional
TLSSecretName string `json:"tlsSecretName,omitempty"`
}
TODO : set defaults and validation vault doc: https://www.vaultproject.io/docs/configuration/storage/etcd.html
EtcdSpec defines configuration to set up etcd as backend storage in vault
func (*EtcdSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EtcdSpec.
func (*EtcdSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FileSpec ¶
type FileSpec struct {
// The absolute path on disk to the directory where the data will be stored.
// If the directory does not exist, Vault will create it.
Path string `json:"path"`
}
vault doc: https://www.vaultproject.io/docs/configuration/storage/filesystem.html
FileSpec defines configuration to set up File system Storage as backend storage in vault
func (*FileSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FileSpec.
func (*FileSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GcsSpec ¶
type GcsSpec struct {
// Specifies the name of the bucket to use for storage.
Bucket string `json:"bucket"`
// Specifies the maximum size (in kilobytes) to send in a single request. If set to 0,
// it will attempt to send the whole object at once, but will not retry any failures.
// +optional
ChunkSize string `json:"chunkSize,omitempty"`
// Specifies the maximum number of parallel operations to take place.
// +optional
MaxParallel int `json:"maxParallel,omitempty"`
// Specifies if high availability mode is enabled.
// +optional
HAEnabled bool `json:"haEnabled,omitempty"`
// Secret containing Google application credential
// secret data:
// - sa.json:<value>
// +optional
CredentialSecret string `json:"credentialSecret,omitempty"`
}
vault doc: https://www.vaultproject.io/docs/configuration/storage/google-cloud-storage.html
GcsSpec defines configuration to set up Google Cloud Storage as backend storage in vault
func (*GcsSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcsSpec.
func (*GcsSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GoogleKmsGcsSpec ¶
type GoogleKmsGcsSpec struct {
// The name of the Google Cloud KMS crypto key to use
KmsCryptoKey string `json:"kmsCryptoKey"`
// The name of the Google Cloud KMS key ring to use
KmsKeyRing string `json:"kmsKeyRing"`
// The Google Cloud KMS location to use (eg. 'global', 'europe-west1')
KmsLocation string `json:"kmsLocation"`
// The Google Cloud KMS project to use
KmsProject string `json:"kmsProject"`
// The name of the Google Cloud Storage bucket to store values in
Bucket string `json:"bucket"`
// Secret containing Google application credential
// secret data:
// - sa.json:<value>
// +optional
CredentialSecret string `json:"credentialSecret,omitempty"`
}
GoogleKmsGcsSpec contain the fields that required to unseal vault using google kms
func (*GoogleKmsGcsSpec) DeepCopy ¶
func (in *GoogleKmsGcsSpec) DeepCopy() *GoogleKmsGcsSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GoogleKmsGcsSpec.
func (*GoogleKmsGcsSpec) DeepCopyInto ¶
func (in *GoogleKmsGcsSpec) DeepCopyInto(out *GoogleKmsGcsSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type InmemSpec ¶
type InmemSpec struct {
}
ref: https://www.vaultproject.io/docs/configuration/storage/in-memory.html
func (*InmemSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InmemSpec.
func (*InmemSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KubernetesSecretSpec ¶
type KubernetesSecretSpec struct {
SecretName string `json:"secretName"`
}
KubernetesSecretSpec contain the fields that required to unseal using kubernetes secret
func (*KubernetesSecretSpec) DeepCopy ¶
func (in *KubernetesSecretSpec) DeepCopy() *KubernetesSecretSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesSecretSpec.
func (*KubernetesSecretSpec) DeepCopyInto ¶
func (in *KubernetesSecretSpec) DeepCopyInto(out *KubernetesSecretSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ModeSpec ¶
type ModeSpec struct {
// +optional
KubernetesSecret *KubernetesSecretSpec `json:"kubernetesSecret,omitempty"`
// +optional
GoogleKmsGcs *GoogleKmsGcsSpec `json:"googleKmsGcs,omitempty"`
// +optional
AwsKmsSsm *AwsKmsSsmSpec `json:"awsKmsSsm,omitempty"`
// +optional
AzureKeyVault *AzureKeyVault `json:"azureKeyVault,omitempty"`
}
ModeSpec contain unseal mechanism
func (*ModeSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ModeSpec.
func (*ModeSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MySQLSpec ¶
type MySQLSpec struct {
// Specifies the address of the MySQL host.
// +optional
Address string `json:"address"`
// Specifies the name of the database. If the database does not exist, Vault will attempt to create it.
// +optional
Database string `json:"database,omitempty"`
// Specifies the name of the table. If the table does not exist, Vault will attempt to create it.
// +optional
Table string `json:"table,omitempty"`
// Specifies the MySQL username and password to connect to the database
// secret data:
// - username=<value>
// - password=<value>
UserCredentialSecret string `json:"userCredentialSecret"`
// Specifies the name of the secret containing the CA certificate to connect using TLS.
// secret data:
// - tls_ca_file=<ca_cert>
// +optional
TLSCASecret string `json:"tlsCASecret,omitempty"`
// Specifies the maximum number of concurrent requests to take place.
// +optional
MaxParallel int `json:"maxParallel,omitempty"`
}
vault doc: https://www.vaultproject.io/docs/configuration/storage/mysql.html
MySQLSpec defines configuration to set up MySQL Storage as backend storage in vault
func (*MySQLSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLSpec.
func (*MySQLSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PostgreSQLSpec ¶
type PostgreSQLSpec struct {
//Specifies the name of the secret containing the connection string to use to authenticate and connect to PostgreSQL.
// A full list of supported parameters can be found in the pq library documentation(https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters).
// secret data:
// - connection_url:<data>
ConnectionUrlSecret string `json:"connectionUrlSecret"`
// Specifies the name of the table in which to write Vault data.
// This table must already exist (Vault will not attempt to create it).
// +optional
Table string `json:"table,omitempty"`
// Specifies the maximum number of concurrent requests to take place.
// +optional
MaxParallel int `json:"maxParallel,omitempty"`
}
vault doc: https://www.vaultproject.io/docs/configuration/storage/postgresql.html
PostgreSQLSpec defines configuration to set up PostgreSQL storage as backend storage in vault
func (*PostgreSQLSpec) DeepCopy ¶
func (in *PostgreSQLSpec) DeepCopy() *PostgreSQLSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgreSQLSpec.
func (*PostgreSQLSpec) DeepCopyInto ¶
func (in *PostgreSQLSpec) DeepCopyInto(out *PostgreSQLSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type S3Spec ¶
type S3Spec struct {
// Specifies the name of the bucket to use for storage.
Bucket string `json:"bucket"`
// Specifies an alternative, AWS compatible, S3 endpoint.
// +optional
EndPoint string `json:"endPoint,omitempty"`
// Specifies the AWS region
// +optional
Region string `json:"region,omitempty"`
// Specifies the secret name containing AWS access key and AWS secret key
// secret data:
// - access_key=<value>
// - secret_key=<value>
// +optional
CredentialSecret string `json:"credentialSecret,omitempty"`
// Specifies the secret name containing AWS session token
// secret data:
// - session_token:<value>
// +optional
SessionTokenSecret string `json:"sessionTokenSecret,omitempty"`
// Specifies the maximum number of parallel operations to take place.
// +optional
MaxParallel int `json:"maxParallel,omitempty"`
// Specifies whether to use host bucket style domains with the configured endpoint.
// +optional
S3ForcePathStyle bool `json:"s3ForcePathStyle,omitempty"`
// Specifies if SSL should be used for the endpoint connection
// +optional
DisableSSL bool `json:"disableSSL,omitempty"`
}
vault doc: https://www.vaultproject.io/docs/configuration/storage/s3.html
S3Spec defines configuration to set up Amazon S3 Storage as backend storage in vault
func (*S3Spec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3Spec.
func (*S3Spec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SwiftSpec ¶
type SwiftSpec struct {
// Specifies the OpenStack authentication endpoint.
AuthUrl string `json:"authUrl"`
// Specifies the name of the Swift container.
Container string `json:"container"`
// Specifies the name of the secret containing the OpenStack account/username and password
// secret data:
// - username=<value>
// - password=<value>
CredentialSecret string `json:"credentialSecret"`
// Specifies the name of the tenant. If left blank, this will default to the default tenant of the username.
// +optional
Tenant string `json:"tenant,omitempty"`
// Specifies the name of the region.
// +optional
Region string `json:"region,omitempty"`
// Specifies the id of the tenant.
// +optional
TenantID string `json:"tenantID,omitempty"`
// Specifies the name of the user domain.
// +optional
Domain string `json:"domain,omitempty"`
// Specifies the name of the project's domain.
// +optional
ProjectDomain string `json:"projectDomain,omitempty"`
// Specifies the id of the trust.
// +optional
TrustID string `json:"trustID,omitempty"`
// Specifies storage URL from alternate authentication.
// +optional
StorageUrl string `json:"storageUrl,omitempty"`
// Specifies secret containing auth token from alternate authentication.
// secret data:
// - auth_token=<value>
// +optional
AuthTokenSecret string `json:"authTokenSecret,omitempty"`
// Specifies the maximum number of concurrent requests to take place.
// +optional
MaxParallel int `json:"maxParallel,omitempty"`
}
vault doc: https://www.vaultproject.io/docs/configuration/storage/swift.html
SwiftSpec defines configuration to set up Swift Storage as backend storage in vault
func (*SwiftSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SwiftSpec.
func (*SwiftSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TLSPolicy ¶
type TLSPolicy struct {
// TLSSecret is the secret containing TLS certs used by each vault node
// for the communication between the vault server and its clients.
// The secret should contain three files:
// - tls.crt
// - tls.key
//
// The server certificate must allow the following wildcard domains:
// - localhost
// - *.<namespace>.pod
// - <vaultServer-name>.<namespace>.svc
TLSSecret string `json:"tlsSecret"`
// CABundle is a PEM encoded CA bundle which will be used to validate the serving certificate.
// +optional
CABundle []byte `json:"caBundle,omitempty"`
}
TLSPolicy defines the TLS policy of the vault nodes If this is not set, operator will auto-gen TLS assets and secrets.
func (*TLSPolicy) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSPolicy.
func (*TLSPolicy) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type UnsealerSpec ¶
type UnsealerSpec struct {
// +optional
SecretShares int `json:"secretShares,omitempty"`
// Minimum required secret shares to unseal
// +optional
SecretThreshold int `json:"secretThreshold,omitempty"`
// How often to attempt to unseal the vault instance
// +optional
RetryPeriodSeconds time.Duration `json:"retryPeriodSeconds,omitempty"`
// overwrite existing unseal keys and root tokens, possibly dangerous!
// +optional
OverwriteExisting bool `json:"overwriteExisting,omitempty"`
// should the root token be stored in the key store (default true)
// +optional
StoreRootToken bool `json:"storeRootToken,omitempty"`
// mode contains unseal mechanism
// +optional
Mode ModeSpec `json:"mode,omitempty"`
}
UnsealerSpec contain the configuration for auto vault initialize/unseal
func (*UnsealerSpec) DeepCopy ¶
func (in *UnsealerSpec) DeepCopy() *UnsealerSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UnsealerSpec.
func (*UnsealerSpec) DeepCopyInto ¶
func (in *UnsealerSpec) DeepCopyInto(out *UnsealerSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultServer ¶
type VaultServer struct {
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec VaultServerSpec `json:"spec,omitempty"`
Status VaultServerStatus `json:"status,omitempty"`
}
func (VaultServer) AppBindingName ¶
func (v VaultServer) AppBindingName() string
func (VaultServer) ConfigMapName ¶
func (v VaultServer) ConfigMapName() string
func (VaultServer) CustomResourceDefinition ¶
func (v VaultServer) CustomResourceDefinition() *apiextensions.CustomResourceDefinition
func (*VaultServer) DeepCopy ¶
func (in *VaultServer) DeepCopy() *VaultServer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServer.
func (*VaultServer) DeepCopyInto ¶
func (in *VaultServer) DeepCopyInto(out *VaultServer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultServer) DeepCopyObject ¶
func (in *VaultServer) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (VaultServer) GetKey ¶
func (v VaultServer) GetKey() string
func (VaultServer) IsValid ¶
func (v VaultServer) IsValid() error
func (VaultServer) OffshootLabels ¶
func (v VaultServer) OffshootLabels() map[string]string
func (VaultServer) OffshootName ¶
func (v VaultServer) OffshootName() string
func (VaultServer) OffshootSelectors ¶
func (v VaultServer) OffshootSelectors() map[string]string
func (VaultServer) PolicyNameForAuthMethodController ¶
func (v VaultServer) PolicyNameForAuthMethodController() string
func (VaultServer) PolicyNameForPolicyController ¶
func (v VaultServer) PolicyNameForPolicyController() string
func (VaultServer) ServiceAccountForTokenReviewer ¶
func (v VaultServer) ServiceAccountForTokenReviewer() string
func (VaultServer) ServiceAccountName ¶
func (v VaultServer) ServiceAccountName() string
func (VaultServer) StatsLabels ¶
func (v VaultServer) StatsLabels() map[string]string
func (VaultServer) StatsService ¶
func (v VaultServer) StatsService() mona.StatsAccessor
func (VaultServer) StatsServiceName ¶
func (v VaultServer) StatsServiceName() string
func (VaultServer) TLSSecretName ¶
func (v VaultServer) TLSSecretName() string
type VaultServerCondition ¶
type VaultServerCondition struct {
// Type of VaultServerCondition condition.
// +optional
Type VaultServerConditionType `json:"type,omitempty"`
// Status of the condition, one of True, False, Unknown.
// +optional
Status core.ConditionStatus `json:"status,omitempty"`
// The reason for the condition's.
// +optional
Reason string `json:"reason,omitempty"`
// A human readable message indicating details about the transition.
// +optional
Message string `json:"message,omitempty"`
}
VaultServerCondition describes the state of a VaultServer at a certain point.
func (*VaultServerCondition) DeepCopy ¶
func (in *VaultServerCondition) DeepCopy() *VaultServerCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServerCondition.
func (*VaultServerCondition) DeepCopyInto ¶
func (in *VaultServerCondition) DeepCopyInto(out *VaultServerCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultServerConditionType ¶
type VaultServerConditionType string
const (
VaultServerConditionFailure VaultServerConditionType = "Failure"
)
These are valid conditions of a VaultServer.
type VaultServerList ¶
type VaultServerList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []VaultServer `json:"items,omitempty"`
}
func (*VaultServerList) DeepCopy ¶
func (in *VaultServerList) DeepCopy() *VaultServerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServerList.
func (*VaultServerList) DeepCopyInto ¶
func (in *VaultServerList) DeepCopyInto(out *VaultServerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultServerList) DeepCopyObject ¶
func (in *VaultServerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultServerSpec ¶
type VaultServerSpec struct {
// Number of nodes to deploy for a Vault deployment.
// Default: 1.
// +optional
Nodes int32 `json:"nodes,omitempty"`
// Version of Vault server to be deployed.
Version types.StrYo `json:"version"`
// Name of the ConfigMap for Vault's configuration
// In this configMap contain extra config for vault
// ConfigSource is an optional field to provide extra configuration for vault.
// File name should be 'vault.hcl'.
// If specified, this file will be appended to the controller configuration file.
// +optional
ConfigSource *core.VolumeSource `json:"configSource,omitempty"`
// DataSources is a list of Configmaps/Secrets in the same namespace as the VaultServer
// object, which shall be mounted into the VaultServer Pods.
// The data are mounted into /etc/vault/data/<name>.
// The first data will be named as "data-0", second one will be named as "data-1" and so on.
// +optional
DataSources []core.VolumeSource `json:"dataSources,omitempty"`
// TLS policy of vault nodes
// +optional
TLS *TLSPolicy `json:"tls,omitempty"`
// backend storage configuration for vault
Backend BackendStorageSpec `json:"backend"`
// Unsealer configuration for vault
// +optional
Unsealer *UnsealerSpec `json:"unsealer,omitempty"`
// Specifies the list of auth methods to enable
// +optional
AuthMethods []AuthMethod `json:"authMethods,omitempty"`
// Monitor is used monitor database instance
// +optional
Monitor *mona.AgentSpec `json:"monitor,omitempty"`
// PodTemplate is an optional configuration for pods used to run vault
// +optional
PodTemplate ofst.PodTemplateSpec `json:"podTemplate,omitempty"`
// ServiceTemplate is an optional configuration for service used to expose vault
// +optional
ServiceTemplate ofst.ServiceTemplateSpec `json:"serviceTemplate,omitempty"`
}
func (*VaultServerSpec) DeepCopy ¶
func (in *VaultServerSpec) DeepCopy() *VaultServerSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServerSpec.
func (*VaultServerSpec) DeepCopyInto ¶
func (in *VaultServerSpec) DeepCopyInto(out *VaultServerSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultServerStatus ¶
type VaultServerStatus struct {
// observedGeneration is the most recent generation observed for this resource. It corresponds to the
// resource's generation, which is updated on mutation by the API Server.
// +optional
ObservedGeneration *types.IntHash `json:"observedGeneration,omitempty"`
// Phase indicates the state this Vault cluster jumps in.
// +optional
Phase ClusterPhase `json:"phase,omitempty"`
// Initialized indicates if the Vault service is initialized.
// +optional
Initialized bool `json:"initialized,omitempty"`
// ServiceName is the LB service for accessing vault nodes.
// +optional
ServiceName string `json:"serviceName,omitempty"`
// ClientPort is the port for vault client to access.
// It's the same on client LB service and vault nodes.
// +optional
ClientPort int `json:"clientPort,omitempty"`
// VaultStatus is the set of Vault node specific statuses: Active, Standby, and Sealed
// +optional
VaultStatus VaultStatus `json:"vaultStatus,omitempty"`
// PodNames of updated Vault nodes. Updated means the Vault container image version
// matches the spec's version.
// +optional
UpdatedNodes []string `json:"updatedNodes,omitempty"`
// Represents the latest available observations of a VaultServer current state.
// +optional
Conditions []VaultServerCondition `json:"conditions,omitempty"`
// Status of the vault auth methods
// +optional
AuthMethodStatus []AuthMethodStatus `json:"authMethodStatus,omitempty"`
}
func (*VaultServerStatus) DeepCopy ¶
func (in *VaultServerStatus) DeepCopy() *VaultServerStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultServerStatus.
func (*VaultServerStatus) DeepCopyInto ¶
func (in *VaultServerStatus) DeepCopyInto(out *VaultServerStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultStatus ¶
type VaultStatus struct {
// PodName of the active Vault node. Active node is unsealed.
// Only active node can serve requests.
// Vault service only points to the active node.
// +optional
Active string `json:"active,omitempty"`
// PodNames of the standby Vault nodes. Standby nodes are unsealed.
// Standby nodes do not process requests, and instead redirect to the active Vault.
// +optional
Standby []string `json:"standby,omitempty"`
// PodNames of Sealed Vault nodes. Sealed nodes MUST be unsealed to
// become standby or leader.
// +optional
Sealed []string `json:"sealed,omitempty"`
// PodNames of Unsealed Vault nodes.
// +optional
Unsealed []string `json:"unsealed,omitempty"`
}
func (*VaultStatus) DeepCopy ¶
func (in *VaultStatus) DeepCopy() *VaultStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultStatus.
func (*VaultStatus) DeepCopyInto ¶
func (in *VaultStatus) DeepCopyInto(out *VaultStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files