update: update Kubernetes tags for vault provider and change path default (#4452)

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

apis/externalsecrets/v1beta1/secretstore_vault_types.go

@@ -98,11 +98,13 @@ type VaultClientTLS struct {
 	// CertSecretRef is a certificate added to the transport layer
 	// when communicating with the Vault server.
 	// If no key for the Secret is specified, external-secret will default to 'tls.crt'.
+	// +optional
 	CertSecretRef *esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
 
 	// KeySecretRef to a key in a Secret resource containing client private key
 	// added to the transport layer when communicating with the Vault server.
 	// If no key for the Secret is specified, external-secret will default to 'tls.key'.
+	// +optional
 	KeySecretRef *esmeta.SecretKeySelector `json:"keySecretRef,omitempty"`
 }
 
@@ -219,13 +221,14 @@ type VaultLdapAuth struct {
 	// +kubebuilder:default=ldap
 	Path string `json:"path"`
 
-	// Username is a LDAP user name used to authenticate using the LDAP Vault
+	// Username is an LDAP username used to authenticate using the LDAP Vault
 	// authentication method
 	Username string `json:"username"`
 
 	// SecretRef to a key in a Secret resource containing password for the LDAP
 	// user used to authenticate with Vault using the LDAP authentication
 	// method
+	// +optional
 	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
@@ -243,20 +246,23 @@ type VaultAwsAuth struct {
 // both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
 type VaultAwsAuthSecretRef struct {
 	// The AccessKeyID is used for authentication
+	// +optional
 	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
 
 	// The SecretAccessKey is used for authentication
+	// +optional
 	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
 
 	// The SessionToken used for authentication
 	// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
 	// see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-	// +Optional
+	// +optional
 	SessionToken *esmeta.SecretKeySelector `json:"sessionTokenSecretRef,omitempty"`
 }
 
-// Authenticate against AWS using service account tokens.
+// VaultAwsJWTAuth Authenticate against AWS using service account tokens.
 type VaultAwsJWTAuth struct {
+	// +optional
 	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
 }
 
@@ -307,7 +313,7 @@ type VaultJwtAuth struct {
 	KubernetesServiceAccountToken *VaultKubernetesServiceAccountTokenAuth `json:"kubernetesServiceAccountToken,omitempty"`
 }
 
-// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
+// VaultCertAuth authenticates with Vault using the JWT/OIDC authentication
 // method, with the role name and token stored in a Kubernetes Secret resource.
 type VaultCertAuth struct {
 	// ClientCert is a certificate to authenticate using the Cert Vault
@@ -317,23 +323,27 @@ type VaultCertAuth struct {
 
 	// SecretRef to a key in a Secret resource containing client private key to
 	// authenticate with Vault using the Cert authentication method
+	// +optional
 	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
 // VaultIamAuth authenticates with Vault using the Vault's AWS IAM authentication method. Refer: https://developer.hashicorp.com/vault/docs/auth/aws
 type VaultIamAuth struct {
-
 	// Path where the AWS auth method is enabled in Vault, e.g: "aws"
+	// +optional
 	Path string `json:"path,omitempty"`
 	// AWS region
+	// +optional
 	Region string `json:"region,omitempty"`
 	// This is the AWS role to be assumed before talking to vault
+	// +optional
 	AWSIAMRole string `json:"role,omitempty"`
 	// Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
 	Role string `json:"vaultRole"`
 	// AWS External ID set on assumed IAM roles
 	ExternalID string `json:"externalID,omitempty"`
 	// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
+	// +optional
 	VaultAWSIAMServerID string `json:"vaultAwsIamServerID,omitempty"`
 	// Specify credentials in a Secret object
 	// +optional
@@ -347,16 +357,17 @@ type VaultIamAuth struct {
 // with the username and password stored in a Kubernetes Secret resource.
 type VaultUserPassAuth struct {
 	// Path where the UserPassword authentication backend is mounted
-	// in Vault, e.g: "user"
-	// +kubebuilder:default=user
+	// in Vault, e.g: "userpass"
+	// +kubebuilder:default=userpass
 	Path string `json:"path"`
 
-	// Username is a user name used to authenticate using the UserPass Vault
+	// Username is a username used to authenticate using the UserPass Vault
 	// authentication method
 	Username string `json:"username"`
 
 	// SecretRef to a key in a Secret resource containing password for the
 	// user used to authenticate with Vault using the UserPass authentication
 	// method
+	// +optional
 	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -5630,7 +5630,7 @@ spec:
                                 type: object
                               username:
                                 description: |-
-                                  Username is a LDAP user name used to authenticate using the LDAP Vault
+                                  Username is an LDAP username used to authenticate using the LDAP Vault
                                   authentication method
                                 type: string
                             required:
@@ -5678,10 +5678,10 @@ spec:
                               username/password pair
                             properties:
                               path:
-                                default: user
+                                default: userpass
                                 description: |-
                                   Path where the UserPassword authentication backend is mounted
-                                  in Vault, e.g: "user"
+                                  in Vault, e.g: "userpass"
                                 type: string
                               secretRef:
                                 description: |-
@@ -5715,7 +5715,7 @@ spec:
                                 type: object
                               username:
                                 description: |-
-                                  Username is a user name used to authenticate using the UserPass Vault
+                                  Username is a username used to authenticate using the UserPass Vault
                                   authentication method
                                 type: string
                             required:

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -5630,7 +5630,7 @@ spec:
                                 type: object
                               username:
                                 description: |-
-                                  Username is a LDAP user name used to authenticate using the LDAP Vault
+                                  Username is an LDAP username used to authenticate using the LDAP Vault
                                   authentication method
                                 type: string
                             required:
@@ -5678,10 +5678,10 @@ spec:
                               username/password pair
                             properties:
                               path:
-                                default: user
+                                default: userpass
                                 description: |-
                                   Path where the UserPassword authentication backend is mounted
-                                  in Vault, e.g: "user"
+                                  in Vault, e.g: "userpass"
                                 type: string
                               secretRef:
                                 description: |-
@@ -5715,7 +5715,7 @@ spec:
                                 type: object
                               username:
                                 description: |-
-                                  Username is a user name used to authenticate using the UserPass Vault
+                                  Username is a username used to authenticate using the UserPass Vault
                                   authentication method
                                 type: string
                             required:

config/crds/bases/generators.external-secrets.io_clustergenerators.yaml

@@ -1402,7 +1402,7 @@ spec:
                                     type: object
                                   username:
                                     description: |-
-                                      Username is a LDAP user name used to authenticate using the LDAP Vault
+                                      Username is an LDAP username used to authenticate using the LDAP Vault
                                       authentication method
                                     type: string
                                 required:
@@ -1450,10 +1450,10 @@ spec:
                                   passing username/password pair
                                 properties:
                                   path:
-                                    default: user
+                                    default: userpass
                                     description: |-
                                       Path where the UserPassword authentication backend is mounted
-                                      in Vault, e.g: "user"
+                                      in Vault, e.g: "userpass"
                                     type: string
                                   secretRef:
                                     description: |-
@@ -1487,7 +1487,7 @@ spec:
                                     type: object
                                   username:
                                     description: |-
-                                      Username is a user name used to authenticate using the UserPass Vault
+                                      Username is a username used to authenticate using the UserPass Vault
                                       authentication method
                                     type: string
                                 required:

config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml

@@ -598,7 +598,7 @@ spec:
                             type: object
                           username:
                             description: |-
-                              Username is a LDAP user name used to authenticate using the LDAP Vault
+                              Username is an LDAP username used to authenticate using the LDAP Vault
                               authentication method
                             type: string
                         required:
@@ -646,10 +646,10 @@ spec:
                           username/password pair
                         properties:
                           path:
-                            default: user
+                            default: userpass
                             description: |-
                               Path where the UserPassword authentication backend is mounted
-                              in Vault, e.g: "user"
+                              in Vault, e.g: "userpass"
                             type: string
                           secretRef:
                             description: |-
@@ -683,7 +683,7 @@ spec:
                             type: object
                           username:
                             description: |-
-                              Username is a user name used to authenticate using the UserPass Vault
+                              Username is a username used to authenticate using the UserPass Vault
                               authentication method
                             type: string
                         required:

deploy/crds/bundle.yaml

@@ -6021,7 +6021,7 @@ spec:
                                   type: object
                                 username:
                                   description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
+                                    Username is an LDAP username used to authenticate using the LDAP Vault
                                     authentication method
                                   type: string
                               required:
@@ -6066,10 +6066,10 @@ spec:
                               description: UserPass authenticates with Vault by passing username/password pair
                               properties:
                                 path:
-                                  default: user
+                                  default: userpass
                                   description: |-
                                     Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
+                                    in Vault, e.g: "userpass"
                                   type: string
                                 secretRef:
                                   description: |-
@@ -6102,7 +6102,7 @@ spec:
                                   type: object
                                 username:
                                   description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
+                                    Username is a username used to authenticate using the UserPass Vault
                                     authentication method
                                   type: string
                               required:
@@ -13222,7 +13222,7 @@ spec:
                                   type: object
                                 username:
                                   description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
+                                    Username is an LDAP username used to authenticate using the LDAP Vault
                                     authentication method
                                   type: string
                               required:
@@ -13267,10 +13267,10 @@ spec:
                               description: UserPass authenticates with Vault by passing username/password pair
                               properties:
                                 path:
-                                  default: user
+                                  default: userpass
                                   description: |-
                                     Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
+                                    in Vault, e.g: "userpass"
                                   type: string
                                 secretRef:
                                   description: |-
@@ -13303,7 +13303,7 @@ spec:
                                   type: object
                                 username:
                                   description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
+                                    Username is a username used to authenticate using the UserPass Vault
                                     authentication method
                                   type: string
                               required:
@@ -15329,7 +15329,7 @@ spec:
                                       type: object
                                     username:
                                       description: |-
-                                        Username is a LDAP user name used to authenticate using the LDAP Vault
+                                        Username is an LDAP username used to authenticate using the LDAP Vault
                                         authentication method
                                       type: string
                                   required:
@@ -15374,10 +15374,10 @@ spec:
                                   description: UserPass authenticates with Vault by passing username/password pair
                                   properties:
                                     path:
-                                      default: user
+                                      default: userpass
                                       description: |-
                                         Path where the UserPassword authentication backend is mounted
-                                        in Vault, e.g: "user"
+                                        in Vault, e.g: "userpass"
                                       type: string
                                     secretRef:
                                       description: |-
@@ -15410,7 +15410,7 @@ spec:
                                       type: object
                                     username:
                                       description: |-
-                                        Username is a user name used to authenticate using the UserPass Vault
+                                        Username is a username used to authenticate using the UserPass Vault
                                         authentication method
                                       type: string
                                   required:
@@ -17565,7 +17565,7 @@ spec:
                               type: object
                             username:
                               description: |-
-                                Username is a LDAP user name used to authenticate using the LDAP Vault
+                                Username is an LDAP username used to authenticate using the LDAP Vault
                                 authentication method
                               type: string
                           required:
@@ -17610,10 +17610,10 @@ spec:
                           description: UserPass authenticates with Vault by passing username/password pair
                           properties:
                             path:
-                              default: user
+                              default: userpass
                               description: |-
                                 Path where the UserPassword authentication backend is mounted
-                                in Vault, e.g: "user"
+                                in Vault, e.g: "userpass"
                               type: string
                             secretRef:
                               description: |-
@@ -17646,7 +17646,7 @@ spec:
                               type: object
                             username:
                               description: |-
-                                Username is a user name used to authenticate using the UserPass Vault
+                                Username is a username used to authenticate using the UserPass Vault
                                 authentication method
                               type: string
                           required:

docs/api/spec.md

@@ -8497,6 +8497,7 @@ External Secrets meta/v1.SecretKeySelector
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>The AccessKeyID is used for authentication</p>
 </td>
 </tr>
@@ -8510,6 +8511,7 @@ External Secrets meta/v1.SecretKeySelector
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>The SecretAccessKey is used for authentication</p>
 </td>
 </tr>
@@ -8523,6 +8525,7 @@ External Secrets meta/v1.SecretKeySelector
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>The SessionToken used for authentication
 This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
 see: <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html">https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html</a></p>
@@ -8538,7 +8541,7 @@ see: <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_te
 <a href="#external-secrets.io/v1beta1.VaultIamAuth">VaultIamAuth</a>)
 </p>
 <p>
-<p>Authenticate against AWS using service account tokens.</p>
+<p>VaultAwsJWTAuth Authenticate against AWS using service account tokens.</p>
 </p>
 <table>
 <thead>
@@ -8558,6 +8561,7 @@ External Secrets meta/v1.ServiceAccountSelector
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 </td>
 </tr>
 </tbody>
@@ -8569,7 +8573,7 @@ External Secrets meta/v1.ServiceAccountSelector
 <a href="#external-secrets.io/v1beta1.VaultAuth">VaultAuth</a>)
 </p>
 <p>
-<p>VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
+<p>VaultCertAuth authenticates with Vault using the JWT/OIDC authentication
 method, with the role name and token stored in a Kubernetes Secret resource.</p>
 </p>
 <table>
@@ -8605,6 +8609,7 @@ External Secrets meta/v1.SecretKeySelector
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>SecretRef to a key in a Secret resource containing client private key to
 authenticate with Vault using the Cert authentication method</p>
 </td>
@@ -8639,6 +8644,7 @@ External Secrets meta/v1.SecretKeySelector
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>CertSecretRef is a certificate added to the transport layer
 when communicating with the Vault server.
 If no key for the Secret is specified, external-secret will default to &lsquo;tls.crt&rsquo;.</p>
@@ -8654,6 +8660,7 @@ External Secrets meta/v1.SecretKeySelector
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>KeySecretRef to a key in a Secret resource containing client private key
 added to the transport layer when communicating with the Vault server.
 If no key for the Secret is specified, external-secret will default to &lsquo;tls.key&rsquo;.</p>
@@ -8686,6 +8693,7 @@ string
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>Path where the AWS auth method is enabled in Vault, e.g: &ldquo;aws&rdquo;</p>
 </td>
 </tr>
@@ -8697,6 +8705,7 @@ string
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>AWS region</p>
 </td>
 </tr>
@@ -8708,6 +8717,7 @@ string
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>This is the AWS role to be assumed before talking to vault</p>
 </td>
 </tr>
@@ -8741,6 +8751,7 @@ string
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: <a href="https://developer.hashicorp.com/vault/docs/auth/aws">https://developer.hashicorp.com/vault/docs/auth/aws</a></p>
 </td>
 </tr>
@@ -9051,7 +9062,7 @@ string
 </em>
 </td>
 <td>
-<p>Username is a LDAP user name used to authenticate using the LDAP Vault
+<p>Username is an LDAP username used to authenticate using the LDAP Vault
 authentication method</p>
 </td>
 </tr>
@@ -9065,6 +9076,7 @@ External Secrets meta/v1.SecretKeySelector
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>SecretRef to a key in a Secret resource containing password for the LDAP
 user used to authenticate with Vault using the LDAP authentication
 method</p>
@@ -9275,7 +9287,7 @@ string
 </td>
 <td>
 <p>Path where the UserPassword authentication backend is mounted
-in Vault, e.g: &ldquo;user&rdquo;</p>
+in Vault, e.g: &ldquo;userpass&rdquo;</p>
 </td>
 </tr>
 <tr>
@@ -9286,7 +9298,7 @@ string
 </em>
 </td>
 <td>
-<p>Username is a user name used to authenticate using the UserPass Vault
+<p>Username is a username used to authenticate using the UserPass Vault
 authentication method</p>
 </td>
 </tr>
@@ -9300,6 +9312,7 @@ External Secrets meta/v1.SecretKeySelector
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>SecretRef to a key in a Secret resource containing password for the
 user used to authenticate with Vault using the UserPass authentication
 method</p>