|
|
@@ -98,11 +98,13 @@ type VaultClientTLS struct {
|
|
|
// CertSecretRef is a certificate added to the transport layer
|
|
|
// when communicating with the Vault server.
|
|
|
// If no key for the Secret is specified, external-secret will default to 'tls.crt'.
|
|
|
+ // +optional
|
|
|
CertSecretRef *esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
|
|
|
|
|
|
// KeySecretRef to a key in a Secret resource containing client private key
|
|
|
// added to the transport layer when communicating with the Vault server.
|
|
|
// If no key for the Secret is specified, external-secret will default to 'tls.key'.
|
|
|
+ // +optional
|
|
|
KeySecretRef *esmeta.SecretKeySelector `json:"keySecretRef,omitempty"`
|
|
|
}
|
|
|
|
|
|
@@ -219,13 +221,14 @@ type VaultLdapAuth struct {
|
|
|
// +kubebuilder:default=ldap
|
|
|
Path string `json:"path"`
|
|
|
|
|
|
- // Username is a LDAP user name used to authenticate using the LDAP Vault
|
|
|
+ // Username is an LDAP username used to authenticate using the LDAP Vault
|
|
|
// authentication method
|
|
|
Username string `json:"username"`
|
|
|
|
|
|
// SecretRef to a key in a Secret resource containing password for the LDAP
|
|
|
// user used to authenticate with Vault using the LDAP authentication
|
|
|
// method
|
|
|
+ // +optional
|
|
|
SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
|
|
|
}
|
|
|
|
|
|
@@ -243,20 +246,23 @@ type VaultAwsAuth struct {
|
|
|
// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
|
|
|
type VaultAwsAuthSecretRef struct {
|
|
|
// The AccessKeyID is used for authentication
|
|
|
+ // +optional
|
|
|
AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
|
|
|
|
|
|
// The SecretAccessKey is used for authentication
|
|
|
+ // +optional
|
|
|
SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
|
|
|
|
|
|
// The SessionToken used for authentication
|
|
|
// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
|
|
|
// see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
|
|
|
- // +Optional
|
|
|
+ // +optional
|
|
|
SessionToken *esmeta.SecretKeySelector `json:"sessionTokenSecretRef,omitempty"`
|
|
|
}
|
|
|
|
|
|
-// Authenticate against AWS using service account tokens.
|
|
|
+// VaultAwsJWTAuth Authenticate against AWS using service account tokens.
|
|
|
type VaultAwsJWTAuth struct {
|
|
|
+ // +optional
|
|
|
ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
|
|
|
}
|
|
|
|
|
|
@@ -307,7 +313,7 @@ type VaultJwtAuth struct {
|
|
|
KubernetesServiceAccountToken *VaultKubernetesServiceAccountTokenAuth `json:"kubernetesServiceAccountToken,omitempty"`
|
|
|
}
|
|
|
|
|
|
-// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
|
|
|
+// VaultCertAuth authenticates with Vault using the JWT/OIDC authentication
|
|
|
// method, with the role name and token stored in a Kubernetes Secret resource.
|
|
|
type VaultCertAuth struct {
|
|
|
// ClientCert is a certificate to authenticate using the Cert Vault
|
|
|
@@ -317,23 +323,27 @@ type VaultCertAuth struct {
|
|
|
|
|
|
// SecretRef to a key in a Secret resource containing client private key to
|
|
|
// authenticate with Vault using the Cert authentication method
|
|
|
+ // +optional
|
|
|
SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
|
|
|
}
|
|
|
|
|
|
// VaultIamAuth authenticates with Vault using the Vault's AWS IAM authentication method. Refer: https://developer.hashicorp.com/vault/docs/auth/aws
|
|
|
type VaultIamAuth struct {
|
|
|
-
|
|
|
// Path where the AWS auth method is enabled in Vault, e.g: "aws"
|
|
|
+ // +optional
|
|
|
Path string `json:"path,omitempty"`
|
|
|
// AWS region
|
|
|
+ // +optional
|
|
|
Region string `json:"region,omitempty"`
|
|
|
// This is the AWS role to be assumed before talking to vault
|
|
|
+ // +optional
|
|
|
AWSIAMRole string `json:"role,omitempty"`
|
|
|
// Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
|
|
|
Role string `json:"vaultRole"`
|
|
|
// AWS External ID set on assumed IAM roles
|
|
|
ExternalID string `json:"externalID,omitempty"`
|
|
|
// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
|
|
|
+ // +optional
|
|
|
VaultAWSIAMServerID string `json:"vaultAwsIamServerID,omitempty"`
|
|
|
// Specify credentials in a Secret object
|
|
|
// +optional
|
|
|
@@ -347,16 +357,17 @@ type VaultIamAuth struct {
|
|
|
// with the username and password stored in a Kubernetes Secret resource.
|
|
|
type VaultUserPassAuth struct {
|
|
|
// Path where the UserPassword authentication backend is mounted
|
|
|
- // in Vault, e.g: "user"
|
|
|
- // +kubebuilder:default=user
|
|
|
+ // in Vault, e.g: "userpass"
|
|
|
+ // +kubebuilder:default=userpass
|
|
|
Path string `json:"path"`
|
|
|
|
|
|
- // Username is a user name used to authenticate using the UserPass Vault
|
|
|
+ // Username is a username used to authenticate using the UserPass Vault
|
|
|
// authentication method
|
|
|
Username string `json:"username"`
|
|
|
|
|
|
// SecretRef to a key in a Secret resource containing password for the
|
|
|
// user used to authenticate with Vault using the UserPass authentication
|
|
|
// method
|
|
|
+ // +optional
|
|
|
SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
|
|
|
}
|
Gergely Brautigam