|
|
@@ -2163,6 +2163,19 @@ should match snapshot of default values:
|
|
|
roleId:
|
|
|
description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
|
|
|
type: string
|
|
|
+ roleRef:
|
|
|
+ description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
secretRef:
|
|
|
description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
|
|
|
properties:
|
|
|
@@ -2178,7 +2191,6 @@ should match snapshot of default values:
|
|
|
type: object
|
|
|
required:
|
|
|
- path
|
|
|
- - roleId
|
|
|
- secretRef
|
|
|
type: object
|
|
|
cert:
|
|
|
@@ -2211,6 +2223,94 @@ should match snapshot of default values:
|
|
|
type: string
|
|
|
type: object
|
|
|
type: object
|
|
|
+ iam:
|
|
|
+ description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
|
|
|
+ properties:
|
|
|
+ externalID:
|
|
|
+ description: AWS External ID set on assumed IAM roles
|
|
|
+ type: string
|
|
|
+ jwt:
|
|
|
+ description: Specify a service account with IRSA enabled
|
|
|
+ properties:
|
|
|
+ serviceAccountRef:
|
|
|
+ description: A reference to a ServiceAccount resource.
|
|
|
+ properties:
|
|
|
+ audiences:
|
|
|
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
|
|
|
+ items:
|
|
|
+ type: string
|
|
|
+ type: array
|
|
|
+ name:
|
|
|
+ description: The name of the ServiceAccount resource being referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - name
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ path:
|
|
|
+ description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
|
|
|
+ type: string
|
|
|
+ region:
|
|
|
+ description: AWS region
|
|
|
+ type: string
|
|
|
+ role:
|
|
|
+ description: This is the AWS role to be assumed before talking to vault
|
|
|
+ type: string
|
|
|
+ secretRef:
|
|
|
+ description: Specify credentials in a Secret object
|
|
|
+ properties:
|
|
|
+ accessKeyIDSecretRef:
|
|
|
+ description: The AccessKeyID is used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ secretAccessKeySecretRef:
|
|
|
+ description: The SecretAccessKey is used for authentication
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ sessionTokenSecretRef:
|
|
|
+ description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
|
|
|
+ properties:
|
|
|
+ key:
|
|
|
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
+ type: string
|
|
|
+ name:
|
|
|
+ description: The name of the Secret resource being referred to.
|
|
|
+ type: string
|
|
|
+ namespace:
|
|
|
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
|
|
+ type: string
|
|
|
+ type: object
|
|
|
+ type: object
|
|
|
+ vaultAwsIamServerID:
|
|
|
+ description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
|
|
|
+ type: string
|
|
|
+ vaultRole:
|
|
|
+ description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
|
|
|
+ type: string
|
|
|
+ required:
|
|
|
+ - vaultRole
|
|
|
+ type: object
|
|
|
jwt:
|
|
|
description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
|
|
|
properties:
|
Gustavo Fernandes de Carvalho