apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"controller-gen.kubebuilder.io/version":"v0.3.0"},"creationTimestamp":null,"labels":{"app.kubernetes.io/instance":"vault-secrets-operator","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"vault-secrets-operator","helm.sh/chart":"vault-secrets-operator-1.14.5"},"name":"vaultsecrets.ricoberger.de"},"spec":{"group":"ricoberger.de","names":{"kind":"VaultSecret","listKind":"VaultSecretList","plural":"vaultsecrets","singular":"vaultsecret"},"scope":"Namespaced","versions":[{"additionalPrinterColumns":[{"description":"Indicates
if the secret was created/updated successfully","jsonPath":".status.conditions[?(@.type==\"SecretCreated\")].status","name":"Succeeded","type":"string"},{"description":"Reason
for the current status","jsonPath":".status.conditions[?(@.type==\"SecretCreated\")].reason","name":"Reason","type":"string"},{"description":"Message
with more information, regarding the current status","jsonPath":".status.conditions[?(@.type==\"SecretCreated\")].message","name":"Message","type":"string"},{"description":"Time
when the condition was updated the last time","jsonPath":".status.conditions[?(@.type==\"SecretCreated\")].lastTransitionTime","name":"Last
Transition","type":"date"},{"description":"Time when this VaultSecret was created","jsonPath":".metadata.creationTimestamp","name":"Age","type":"date"}],"name":"v1alpha1","schema":{"openAPIV3Schema":{"description":"VaultSecret
is the Schema for the vaultsecrets API","properties":{"apiVersion":{"description":"APIVersion
defines the versioned schema of this representation of an object. Servers should
convert recognized schemas to the latest internal value, and may reject unrecognized
values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind
is a string value representing the REST resource this object represents. Servers
may infer this from the endpoint the client submits requests to. Cannot be updated.
In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"VaultSecretSpec
defines the desired state of VaultSecret","properties":{"isBinary":{"description":"isBinary
is a flag indicates if data stored in vault is binary data. Since vault does
not store binary data natively, the binary data is stored as base64 encoded.
However, same data get encoded again when operator stored them as secret in
k8s which caused the data to get double encoded. This flag will skip the base64
encode which is needed for string data to avoid the double encode problem.","type":"boolean"},"keys":{"description":"Keys
is an array of Keys, which should be included in the Kubernetes secret. If the
Keys field is ommitted all keys from the Vault secret will be included in the
Kubernetes secret.","items":{"type":"string"},"type":"array"},"path":{"description":"Path
is the path of the corresponding secret in Vault.","type":"string"},"reconcileStrategy":{"description":"ReconcileStrategy
defines the strategy for reconcilation. The default value is \"Replace\", which
replaces any existing data keys in a secret with the loaded keys from Vault.
The second valid value is \"Merge\" wiche merges the loaded keys from Vault
with the existing keys in a secret. Duplicated keys will be replaced with the
value from Vault. Other values are not valid for this field.","type":"string"},"secretEngine":{"description":"SecretEngine
specifies the type of the Vault secret engine in which the secret is stored.
Currently the ''KV Secrets Engine - Version 1'' and ''KV Secrets Engine - Version
2'' are supported. The value must be ''kv''. If the value is omitted or an other
values is used the Vault Secrets Operator will try to use the KV secret engine.","type":"string"},"templates":{"additionalProperties":{"type":"string"},"description":"Templates,
if not empty will be run through the the Go templating engine, with `.Secrets`
being mapped to the list of secrets received from Vault. When omitted set, all
secrets will be added as key/val pairs under Secret.data.","type":"object"},"type":{"description":"Type
is the type of the Kubernetes secret, which will be created by the Vault Secrets
Operator.","type":"string"},"vaultNamespace":{"description":"VaultNamespace
can be used to specify the Vault namespace for a secret. When this value is
set, the X-Vault-Namespace header will be set for the request. More information
regarding namespaces can be found in the Vault Enterprise documentation: https://www.vaultproject.io/docs/enterprise/namespaces","type":"string"},"vaultRole":{"description":"VaultRole
can be used to specify the Vault role, which should be used to get the secret
from Vault. If the vaultRole property is set a new client with the specified
Vault Role will be created and the shared client is ignored. If the operator
is configured using the token auth method this property has no effect.","type":"string"},"version":{"description":"Version
sets the version of the secret which should be used. The version is only used
if the KVv2 secret engine is used. If the version is omitted the Operator uses
the latest version of the secret. If the version omitted and the VAULT_RECONCILIATION_TIME
environment variable is set, the Kubernetes secret will be updated if the Vault
secret changes.","type":"integer"}},"required":["path","type"],"type":"object"},"status":{"description":"VaultSecretStatus
defines the observed state of VaultSecret","properties":{"conditions":{"items":{"description":"Condition
contains details for one aspect of the current state of this API Resource. ---
This struct is intended for direct use as an array at the field path .status.conditions. For
example, type FooStatus struct{ // Represents the observations of a foo''s
current state. // Known .status.conditions.type are: \"Available\", \"Progressing\",
and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge //
+listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }","properties":{"lastTransitionTime":{"description":"lastTransitionTime
is the last time the condition transitioned from one status to another. This
should be when the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.","format":"date-time","type":"string"},"message":{"description":"message
is a human readable message indicating details about the transition. This may
be an empty string.","maxLength":32768,"type":"string"},"observedGeneration":{"description":"observedGeneration
represents the .metadata.generation that the condition was set based upon. For
instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current state of the
instance.","format":"int64","minimum":0,"type":"integer"},"reason":{"description":"reason
contains a programmatic identifier indicating the reason for the condition''s
last transition. Producers of specific condition types may define expected values
and meanings for this field, and whether the values are considered a guaranteed
API. The value should be a CamelCase string. This field may not be empty.","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$","type":"string"},"status":{"description":"status
of the condition, one of True, False, Unknown.","enum":["True","False","Unknown"],"type":"string"},"type":{"description":"type
of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type
values are consistent across resources like Available, but because arbitrary
conditions can be useful (see .node.status.conditions), the ability to deconflict
is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$","type":"string"}},"required":["lastTransitionTime","message","reason","status","type"],"type":"object"},"type":"array"}},"type":"object"}},"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]},"status":{"acceptedNames":{"kind":"","plural":""},"conditions":[],"storedVersions":[]}}
'
creationTimestamp: '2021-08-30T19:49:22Z'
generation: 1
labels:
app.kubernetes.io/instance: vault-secrets-operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vault-secrets-operator
helm.sh/chart: vault-secrets-operator-1.14.5
managedFields:
- apiVersion: apiextensions.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:controller-gen.kubebuilder.io/version: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:labels:
.: {}
f:app.kubernetes.io/instance: {}
f:app.kubernetes.io/managed-by: {}
f:app.kubernetes.io/name: {}
f:helm.sh/chart: {}
f:spec:
f:conversion:
.: {}
f:strategy: {}
f:group: {}
f:names:
f:kind: {}
f:listKind: {}
f:plural: {}
f:singular: {}
f:scope: {}
f:versions: {}
manager: argocd-application-controller
operation: Update
time: '2021-08-30T19:49:22Z'
- apiVersion: apiextensions.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:acceptedNames:
f:kind: {}
f:listKind: {}
f:plural: {}
f:singular: {}
f:conditions:
k:{"type":"Established"}:
.: {}
f:lastTransitionTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
k:{"type":"NamesAccepted"}:
.: {}
f:lastTransitionTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
manager: k3s
operation: Update
time: '2021-08-30T19:49:23Z'
name: vaultsecrets.ricoberger.de
resourceVersion: '84182'
uid: 5907fcc6-1a98-4d50-a97a-27250451ad72
spec:
conversion:
strategy: None
group: ricoberger.de
names:
kind: VaultSecret
listKind: VaultSecretList
plural: vaultsecrets
singular: vaultsecret
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Indicates if the secret was created/updated successfully
jsonPath: .status.conditions[?(@.type=="SecretCreated")].status
name: Succeeded
type: string
- description: Reason for the current status
jsonPath: .status.conditions[?(@.type=="SecretCreated")].reason
name: Reason
type: string
- description: Message with more information, regarding the current status
jsonPath: .status.conditions[?(@.type=="SecretCreated")].message
name: Message
type: string
- description: Time when the condition was updated the last time
jsonPath: .status.conditions[?(@.type=="SecretCreated")].lastTransitionTime
name: Last Transition
type: date
- description: Time when this VaultSecret was created
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: VaultSecret is the Schema for the vaultsecrets API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VaultSecretSpec defines the desired state of VaultSecret
properties:
isBinary:
description: isBinary is a flag indicates if data stored in vault
is binary data. Since vault does not store binary data natively,
the binary data is stored as base64 encoded. However, same data
get encoded again when operator stored them as secret in k8s which
caused the data to get double encoded. This flag will skip the base64
encode which is needed for string data to avoid the double encode
problem.
type: boolean
keys:
description: Keys is an array of Keys, which should be included in
the Kubernetes secret. If the Keys field is ommitted all keys from
the Vault secret will be included in the Kubernetes secret.
items:
type: string
type: array
path:
description: Path is the path of the corresponding secret in Vault.
type: string
reconcileStrategy:
description: ReconcileStrategy defines the strategy for reconcilation.
The default value is "Replace", which replaces any existing data
keys in a secret with the loaded keys from Vault. The second valid
value is "Merge" wiche merges the loaded keys from Vault with the
existing keys in a secret. Duplicated keys will be replaced with
the value from Vault. Other values are not valid for this field.
type: string
secretEngine:
description: SecretEngine specifies the type of the Vault secret engine
in which the secret is stored. Currently the 'KV Secrets Engine
- Version 1' and 'KV Secrets Engine - Version 2' are supported.
The value must be 'kv'. If the value is omitted or an other values
is used the Vault Secrets Operator will try to use the KV secret
engine.
type: string
templates:
additionalProperties:
type: string
description: Templates, if not empty will be run through the the Go
templating engine, with `.Secrets` being mapped to the list of secrets
received from Vault. When omitted set, all secrets will be added
as key/val pairs under Secret.data.
type: object
type:
description: Type is the type of the Kubernetes secret, which will
be created by the Vault Secrets Operator.
type: string
vaultNamespace:
description: 'VaultNamespace can be used to specify the Vault namespace
for a secret. When this value is set, the X-Vault-Namespace header
will be set for the request. More information regarding namespaces
can be found in the Vault Enterprise documentation: https://www.vaultproject.io/docs/enterprise/namespaces'
type: string
vaultRole:
description: VaultRole can be used to specify the Vault role, which
should be used to get the secret from Vault. If the vaultRole property
is set a new client with the specified Vault Role will be created
and the shared client is ignored. If the operator is configured
using the token auth method this property has no effect.
type: string
version:
description: Version sets the version of the secret which should be
used. The version is only used if the KVv2 secret engine is used.
If the version is omitted the Operator uses the latest version of
the secret. If the version omitted and the VAULT_RECONCILIATION_TIME
environment variable is set, the Kubernetes secret will be updated
if the Vault secret changes.
type: integer
required:
- path
- type
type: object
status:
description: VaultSecretStatus defines the observed state of VaultSecret
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current\
\ state of this API Resource. --- This struct is intended for\
\ direct use as an array at the field path .status.conditions.\
\ For example, type FooStatus struct{ // Represents the observations\
\ of a foo's current state. // Known .status.conditions.type\
\ are: \"Available\", \"Progressing\", and \"Degraded\" //\
\ +patchMergeKey=type // +patchStrategy=merge // +listType=map\
\ // +listMapKey=type Conditions []metav1.Condition `json:\"\
conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"\
type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other\
\ fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- 'True'
- 'False'
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: VaultSecret
listKind: VaultSecretList
plural: vaultsecrets
singular: vaultsecret
conditions:
- lastTransitionTime: '2021-08-30T19:49:22Z'
message: no conflicts found
reason: NoConflicts
status: 'True'
type: NamesAccepted
- lastTransitionTime: '2021-08-30T19:49:23Z'
message: the initial names have been accepted
reason: InitialNamesAccepted
status: 'True'
type: Established
storedVersions:
- v1alpha1