From 3d9fc9d480ca163946c1b4c1530b0f6940014bfd Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Tue, 8 Oct 2024 20:22:28 -0400 Subject: [PATCH] operator vault-secrets-operator (0.9.0) (#4568) --- .../secrets.hashicorp.com_hcpauths.yaml | 115 +++++ ...ets.hashicorp.com_hcpvaultsecretsapps.yaml | 323 +++++++++++++ ...s.hashicorp.com_secrettransformations.yaml | 126 +++++ ...ecrets.hashicorp.com_vaultauthglobals.yaml | 339 ++++++++++++++ .../secrets.hashicorp.com_vaultauths.yaml | 403 ++++++++++++++++ ...ecrets.hashicorp.com_vaultconnections.yaml | 92 ++++ ...ets.hashicorp.com_vaultdynamicsecrets.yaml | 415 +++++++++++++++++ ...secrets.hashicorp.com_vaultpkisecrets.yaml | 391 ++++++++++++++++ ...rets.hashicorp.com_vaultstaticsecrets.yaml | 318 +++++++++++++ ...er-manager-metrics-service_v1_service.yaml | 19 + ...-operator-manager-config_v1_configmap.yaml | 32 ++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 12 + ...ecrets-operator.clusterserviceversion.yaml | 437 ++++++++++++++++++ .../0.9.0/metadata/annotations.yaml | 18 + .../0.9.0/tests/scorecard/config.yaml | 70 +++ 15 files changed, 3110 insertions(+) create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_hcpauths.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_hcpvaultsecretsapps.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_secrettransformations.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultauthglobals.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultauths.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultconnections.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultdynamicsecrets.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultpkisecrets.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultstaticsecrets.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-controller-manager-metrics-service_v1_service.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-manager-config_v1_configmap.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator.clusterserviceversion.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/metadata/annotations.yaml create mode 100644 operators/vault-secrets-operator/0.9.0/tests/scorecard/config.yaml diff --git a/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_hcpauths.yaml b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_hcpauths.yaml new file mode 100644 index 00000000000..9a885bb49a1 --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_hcpauths.yaml @@ -0,0 +1,115 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + name: hcpauths.secrets.hashicorp.com +spec: + group: secrets.hashicorp.com + names: + kind: HCPAuth + listKind: HCPAuthList + plural: hcpauths + singular: hcpauth + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: HCPAuth is the Schema for the hcpauths API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HCPAuthSpec defines the desired state of HCPAuth + properties: + allowedNamespaces: + description: |- + AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod. + This field allows administrators to customize which Kubernetes namespaces are authorized to + use with this AuthMethod. While Vault will still enforce its own rules, this has the added + configurability of restricting which HCPAuthMethods can be used by which namespaces. + Accepted values: + []{"*"} - wildcard, all namespaces. + []{"a", "b"} - list of namespaces. + unset - disallow all namespaces except the Operator's the HCPAuthMethod's namespace, this + is the default behavior. + items: + type: string + type: array + method: + default: servicePrincipal + description: Method to use when authenticating to Vault. + enum: + - servicePrincipal + type: string + organizationID: + description: OrganizationID of the HCP organization. + type: string + projectID: + description: ProjectID of the HCP project. + type: string + servicePrincipal: + description: |- + ServicePrincipal provides the necessary configuration for authenticating to + HCP using a service principal. For security reasons, only project-level + service principals should ever be used. + properties: + secretRef: + description: |- + SecretRef is the name of a Kubernetes secret in the consumer's + (VDS/VSS/PKI/HCP) namespace which provides the HCP ServicePrincipal clientID, + and clientSecret. + The secret data must have the following structure { + "clientID": "clientID", + "clientSecret": "clientSecret", + } + type: string + required: + - secretRef + type: object + required: + - organizationID + - projectID + type: object + status: + description: HCPAuthStatus defines the observed state of HCPAuth + properties: + error: + type: string + valid: + description: Valid auth mechanism. + type: boolean + required: + - error + - valid + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_hcpvaultsecretsapps.yaml b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_hcpvaultsecretsapps.yaml new file mode 100644 index 00000000000..e1c18e7a37b --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_hcpvaultsecretsapps.yaml @@ -0,0 +1,323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + name: hcpvaultsecretsapps.secrets.hashicorp.com +spec: + group: secrets.hashicorp.com + names: + kind: HCPVaultSecretsApp + listKind: HCPVaultSecretsAppList + plural: hcpvaultsecretsapps + singular: hcpvaultsecretsapp + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: HCPVaultSecretsApp is the Schema for the hcpvaultsecretsapps + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HCPVaultSecretsAppSpec defines the desired state of HCPVaultSecretsApp + properties: + appName: + description: AppName of the Vault Secrets Application that is to be + synced. + type: string + destination: + description: |- + Destination provides configuration necessary for syncing the HCP Vault + Application secrets to Kubernetes. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to apply to the Secret. Requires Create + to be set to true. + type: object + create: + default: false + description: |- + Create the destination Secret. + If the Secret already exists this should be set to false. + type: boolean + labels: + additionalProperties: + type: string + description: Labels to apply to the Secret. Requires Create to + be set to true. + type: object + name: + description: Name of the Secret + type: string + overwrite: + default: false + description: |- + Overwrite the destination Secret if it exists and Create is true. This is + useful when migrating to VSO from a previous secret deployment strategy. + type: boolean + transformation: + description: |- + Transformation provides configuration for transforming the secret data before + it is stored in the Destination. + properties: + excludeRaw: + description: |- + ExcludeRaw data from the destination Secret. Exclusion policy can be set + globally by including 'exclude-raw` in the '--global-transformation-options' + command line flag. If set, the command line flag always takes precedence over + this configuration. + type: boolean + excludes: + description: |- + Excludes contains regex patterns used to filter top-level source secret data + fields for exclusion from the final K8s Secret data. These pattern filters are + never applied to templated fields as defined in Templates. They are always + applied before any inclusion patterns. To exclude all source secret data + fields, you can configure the single pattern ".*". + items: + type: string + type: array + includes: + description: |- + Includes contains regex patterns used to filter top-level source secret data + fields for inclusion in the final K8s Secret data. These pattern filters are + never applied to templated fields as defined in Templates. They are always + applied last. + items: + type: string + type: array + templates: + additionalProperties: + description: Template provides templating configuration. + properties: + name: + description: Name of the Template + type: string + text: + description: |- + Text contains the Go text template format. The template + references attributes from the data structure of the source secret. + Refer to https://pkg.go.dev/text/template for more information. + type: string + required: + - text + type: object + description: |- + Templates maps a template name to its Template. Templates are always included + in the rendered K8s Secret, and take precedence over templates defined in a + SecretTransformation. + type: object + transformationRefs: + description: |- + TransformationRefs contain references to template configuration from + SecretTransformation. + items: + description: |- + TransformationRef contains the configuration for accessing templates from an + SecretTransformation resource. TransformationRefs can be shared across all + syncable secret custom resources. + properties: + ignoreExcludes: + description: |- + IgnoreExcludes controls whether to use the SecretTransformation's Excludes + data key filters. + type: boolean + ignoreIncludes: + description: |- + IgnoreIncludes controls whether to use the SecretTransformation's Includes + data key filters. + type: boolean + name: + description: Name of the SecretTransformation resource. + type: string + namespace: + description: Namespace of the SecretTransformation resource. + type: string + templateRefs: + description: |- + TemplateRefs map to a Template found in this TransformationRef. If empty, then + all templates from the SecretTransformation will be rendered to the K8s Secret. + items: + description: |- + TemplateRef points to templating text that is stored in a + SecretTransformation custom resource. + properties: + keyOverride: + description: |- + KeyOverride to the rendered template in the Destination secret. If Key is + empty, then the Key from reference spec will be used. Set this to override the + Key set from the reference spec. + type: string + name: + description: |- + Name of the Template in SecretTransformationSpec.Templates. + the rendered secret data. + type: string + required: + - name + type: object + type: array + required: + - name + type: object + type: array + type: object + type: + description: |- + Type of Kubernetes Secret. Requires Create to be set to true. + Defaults to Opaque. + type: string + required: + - name + type: object + hcpAuthRef: + description: |- + HCPAuthRef to the HCPAuth resource, can be prefixed with a namespace, eg: + `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default + to the namespace of the HCPAuth CR. If no value is specified for HCPAuthRef the + Operator will default to the `default` HCPAuth, configured in the operator's + namespace. + type: string + refreshAfter: + default: 600s + description: RefreshAfter a period of time, in duration notation e.g. + 30s, 1m, 24h + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$ + type: string + rolloutRestartTargets: + description: |- + RolloutRestartTargets should be configured whenever the application(s) + consuming the HCP Vault Secrets App does not support dynamically reloading a + rotated secret. In that case one, or more RolloutRestartTarget(s) can be + configured here. The Operator will trigger a "rollout-restart" for each target + whenever the Vault secret changes between reconciliation events. See + RolloutRestartTarget for more details. + items: + description: |- + RolloutRestartTarget provides the configuration required to perform a + rollout-restart of the supported resources upon Vault Secret rotation. + The rollout-restart is triggered by patching the target resource's + 'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt' + with a timestamp value of when the trigger was executed. + E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z" + + Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout + properties: + kind: + description: Kind of the resource + enum: + - Deployment + - DaemonSet + - StatefulSet + - argo.Rollout + type: string + name: + description: Name of the resource + type: string + required: + - kind + - name + type: object + type: array + syncConfig: + description: SyncConfig configures sync behavior from HVS to VSO + properties: + dynamic: + description: Dynamic configures sync behavior for dynamic secrets. + properties: + renewalPercent: + default: 67 + description: |- + RenewalPercent is the percent out of 100 of a dynamic secret's TTL when + new secrets are generated. Defaults to 67 percent plus up to 10% jitter. + maximum: 90 + minimum: 0 + type: integer + type: object + type: object + required: + - appName + - destination + type: object + status: + description: HCPVaultSecretsAppStatus defines the observed state of HCPVaultSecretsApp + properties: + dynamicSecrets: + description: |- + DynamicSecrets lists the last observed state of any dynamic secrets + within the HCP Vault Secrets App + items: + description: |- + HVSDynamicStatus defines the observed state of a dynamic secret within an HCP + Vault Secrets App + properties: + createdAt: + description: CreatedAt is the timestamp string of when the dynamic + secret was created + type: string + expiresAt: + description: ExpiresAt is the timestamp string of when the dynamic + secret will expire + type: string + name: + description: Name of the dynamic secret + type: string + ttl: + description: TTL is the time-to-live of the dynamic secret in + seconds + type: string + type: object + type: array + lastGeneration: + description: LastGeneration is the Generation of the last reconciled + resource. + format: int64 + type: integer + secretMAC: + description: |- + SecretMAC used when deciding whether new Vault secret data should be synced. + + The controller will compare the "new" HCP Vault Secrets App data to this value + using HMAC, if they are different, then the data will be synced to the + Destination. + + The SecretMac is also used to detect drift in the Destination Secret's Data. + If drift is detected the data will be synced to the Destination. + type: string + required: + - lastGeneration + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_secrettransformations.yaml b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_secrettransformations.yaml new file mode 100644 index 00000000000..5e49eec362e --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_secrettransformations.yaml @@ -0,0 +1,126 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + name: secrettransformations.secrets.hashicorp.com +spec: + group: secrets.hashicorp.com + names: + kind: SecretTransformation + listKind: SecretTransformationList + plural: secrettransformations + singular: secrettransformation + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: SecretTransformation is the Schema for the secrettransformations + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SecretTransformationSpec defines the desired state of SecretTransformation + properties: + excludes: + description: |- + Excludes contains regex patterns used to filter top-level source secret data + fields for exclusion from the final K8s Secret data. These pattern filters are + never applied to templated fields as defined in Templates. They are always + applied before any inclusion patterns. To exclude all source secret data + fields, you can configure the single pattern ".*". + items: + type: string + type: array + includes: + description: |- + Includes contains regex patterns used to filter top-level source secret data + fields for inclusion in the final K8s Secret data. These pattern filters are + never applied to templated fields as defined in Templates. They are always + applied last. + items: + type: string + type: array + sourceTemplates: + description: |- + SourceTemplates are never included in the rendered K8s Secret, they can be + used to provide common template definitions, etc. + items: + description: SourceTemplate provides source templating configuration. + properties: + name: + type: string + text: + description: |- + Text contains the Go text template format. The template + references attributes from the data structure of the source secret. + Refer to https://pkg.go.dev/text/template for more information. + type: string + required: + - text + type: object + type: array + templates: + additionalProperties: + description: Template provides templating configuration. + properties: + name: + description: Name of the Template + type: string + text: + description: |- + Text contains the Go text template format. The template + references attributes from the data structure of the source secret. + Refer to https://pkg.go.dev/text/template for more information. + type: string + required: + - text + type: object + description: |- + Templates maps a template name to its Template. Templates are always included + in the rendered K8s Secret with the specified key. + type: object + type: object + status: + description: SecretTransformationStatus defines the observed state of + SecretTransformation + properties: + error: + type: string + valid: + type: boolean + required: + - error + - valid + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultauthglobals.yaml b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultauthglobals.yaml new file mode 100644 index 00000000000..120c748b861 --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultauthglobals.yaml @@ -0,0 +1,339 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + name: vaultauthglobals.secrets.hashicorp.com +spec: + group: secrets.hashicorp.com + names: + kind: VaultAuthGlobal + listKind: VaultAuthGlobalList + plural: vaultauthglobals + singular: vaultauthglobal + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: VaultAuthGlobal is the Schema for the vaultauthglobals API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VaultAuthGlobalSpec defines the desired state of VaultAuthGlobal + properties: + allowedNamespaces: + description: |- + AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with + this VaultAuthGlobal. This field allows administrators to customize which + Kubernetes namespaces are authorized to reference this resource. While Vault + will still enforce its own rules, this has the added configurability of + restricting which VaultAuthMethods can be used by which namespaces. Accepted + values: []{"*"} - wildcard, all namespaces. []{"a", "b"} - list of namespaces. + unset - disallow all namespaces except the Operator's and the referring + VaultAuthMethod's namespace, this is the default behavior. + items: + type: string + type: array + appRole: + description: AppRole specific auth configuration, requires that the + Method be set to `appRole`. + properties: + headers: + additionalProperties: + type: string + description: Headers to be included in all Vault requests. + type: object + mount: + description: Mount to use when authenticating to auth method. + type: string + namespace: + description: Namespace to auth to in Vault + type: string + params: + additionalProperties: + type: string + description: Params to use when authenticating to Vault + type: object + roleId: + description: RoleID of the AppRole Role to use for authenticating + to Vault. + type: string + secretRef: + description: |- + SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which + provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the + AppRole Role's secretID. + type: string + type: object + aws: + description: AWS specific auth configuration, requires that Method + be set to `aws`. + properties: + headerValue: + description: The Vault header value to include in the STS signing + request + type: string + headers: + additionalProperties: + type: string + description: Headers to be included in all Vault requests. + type: object + iamEndpoint: + description: The IAM endpoint to use; if not set will use the + default + type: string + irsaServiceAccount: + description: |- + IRSAServiceAccount name to use with IAM Roles for Service Accounts + (IRSA), and should be annotated with "eks.amazonaws.com/role-arn". This + ServiceAccount will be checked for other EKS annotations: + eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration + type: string + mount: + description: Mount to use when authenticating to auth method. + type: string + namespace: + description: Namespace to auth to in Vault + type: string + params: + additionalProperties: + type: string + description: Params to use when authenticating to Vault + type: object + region: + description: AWS Region to use for signing the authentication + request + type: string + role: + description: Vault role to use for authenticating + type: string + secretRef: + description: |- + SecretRef is the name of a Kubernetes Secret in the consumer's (VDS/VSS/PKI) namespace + which holds credentials for AWS. Expected keys include `access_key_id`, `secret_access_key`, + `session_token` + type: string + sessionName: + description: The role session name to use when creating a webidentity + provider + type: string + stsEndpoint: + description: The STS endpoint to use; if not set will use the + default + type: string + type: object + defaultAuthMethod: + description: DefaultAuthMethod to use when authenticating to Vault. + enum: + - kubernetes + - jwt + - appRole + - aws + - gcp + type: string + defaultMount: + description: |- + DefaultMount to use when authenticating to auth method. If not specified the mount of + the auth method configured in Vault will be used. + type: string + defaultVaultNamespace: + description: |- + DefaultVaultNamespace to auth to in Vault, if not specified the namespace of the auth + method will be used. This can be used as a default Vault namespace for all + auth methods. + type: string + gcp: + description: GCP specific auth configuration, requires that Method + be set to `gcp`. + properties: + clusterName: + description: |- + GKE cluster name. Defaults to the cluster-name returned from the operator + pod's local metadata server. + type: string + headers: + additionalProperties: + type: string + description: Headers to be included in all Vault requests. + type: object + mount: + description: Mount to use when authenticating to auth method. + type: string + namespace: + description: Namespace to auth to in Vault + type: string + params: + additionalProperties: + type: string + description: Params to use when authenticating to Vault + type: object + projectID: + description: |- + GCP project ID. Defaults to the project-id returned from the operator + pod's local metadata server. + type: string + region: + description: |- + GCP Region of the GKE cluster's identity provider. Defaults to the region + returned from the operator pod's local metadata server. + type: string + role: + description: Vault role to use for authenticating + type: string + workloadIdentityServiceAccount: + description: |- + WorkloadIdentityServiceAccount is the name of a Kubernetes service + account (in the same Kubernetes namespace as the Vault*Secret referencing + this resource) which has been configured for workload identity in GKE. + Should be annotated with "iam.gke.io/gcp-service-account". + type: string + type: object + headers: + additionalProperties: + type: string + description: DefaultHeaders to be included in all Vault requests. + type: object + jwt: + description: JWT specific auth configuration, requires that the Method + be set to `jwt`. + properties: + audiences: + description: TokenAudiences to include in the ServiceAccount token. + items: + type: string + type: array + headers: + additionalProperties: + type: string + description: Headers to be included in all Vault requests. + type: object + mount: + description: Mount to use when authenticating to auth method. + type: string + namespace: + description: Namespace to auth to in Vault + type: string + params: + additionalProperties: + type: string + description: Params to use when authenticating to Vault + type: object + role: + description: Role to use for authenticating to Vault. + type: string + secretRef: + description: |- + SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which + provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must + have a key named `jwt` which holds the JWT token. + type: string + serviceAccount: + description: |- + ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's + JWT authentication backend. + type: string + tokenExpirationSeconds: + default: 600 + description: TokenExpirationSeconds to set the ServiceAccount + token. + format: int64 + minimum: 600 + type: integer + type: object + kubernetes: + description: Kubernetes specific auth configuration, requires that + the Method be set to `kubernetes`. + properties: + audiences: + description: TokenAudiences to include in the ServiceAccount token. + items: + type: string + type: array + headers: + additionalProperties: + type: string + description: Headers to be included in all Vault requests. + type: object + mount: + description: Mount to use when authenticating to auth method. + type: string + namespace: + description: Namespace to auth to in Vault + type: string + params: + additionalProperties: + type: string + description: Params to use when authenticating to Vault + type: object + role: + description: Role to use for authenticating to Vault. + type: string + serviceAccount: + description: |- + ServiceAccount to use when authenticating to Vault's + authentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace. + type: string + tokenExpirationSeconds: + default: 600 + description: TokenExpirationSeconds to set the ServiceAccount + token. + format: int64 + minimum: 600 + type: integer + type: object + params: + additionalProperties: + type: string + description: DefaultParams to use when authenticating to Vault + type: object + vaultConnectionRef: + description: |- + VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace, + eg: `namespaceA/vaultConnectionRefB`. If no namespace prefix is provided it will default to + the namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the + Operator will default to the `default` VaultConnection, configured in the operator's namespace. + type: string + type: object + status: + description: VaultAuthGlobalStatus defines the observed state of VaultAuthGlobal + properties: + error: + type: string + valid: + description: Valid auth mechanism. + type: boolean + required: + - error + - valid + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultauths.yaml b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultauths.yaml new file mode 100644 index 00000000000..8aa71ecf6be --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultauths.yaml @@ -0,0 +1,403 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + name: vaultauths.secrets.hashicorp.com +spec: + group: secrets.hashicorp.com + names: + kind: VaultAuth + listKind: VaultAuthList + plural: vaultauths + singular: vaultauth + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: VaultAuth is the Schema for the vaultauths API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VaultAuthSpec defines the desired state of VaultAuth + properties: + allowedNamespaces: + description: |- + AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod. + This field allows administrators to customize which Kubernetes namespaces are authorized to + use with this AuthMethod. While Vault will still enforce its own rules, this has the added + configurability of restricting which VaultAuthMethods can be used by which namespaces. + Accepted values: + []{"*"} - wildcard, all namespaces. + []{"a", "b"} - list of namespaces. + unset - disallow all namespaces except the Operator's the VaultAuthMethod's namespace, this + is the default behavior. + items: + type: string + type: array + appRole: + description: AppRole specific auth configuration, requires that the + Method be set to `appRole`. + properties: + roleId: + description: RoleID of the AppRole Role to use for authenticating + to Vault. + type: string + secretRef: + description: |- + SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which + provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the + AppRole Role's secretID. + type: string + type: object + aws: + description: AWS specific auth configuration, requires that Method + be set to `aws`. + properties: + headerValue: + description: The Vault header value to include in the STS signing + request + type: string + iamEndpoint: + description: The IAM endpoint to use; if not set will use the + default + type: string + irsaServiceAccount: + description: |- + IRSAServiceAccount name to use with IAM Roles for Service Accounts + (IRSA), and should be annotated with "eks.amazonaws.com/role-arn". This + ServiceAccount will be checked for other EKS annotations: + eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration + type: string + region: + description: AWS Region to use for signing the authentication + request + type: string + role: + description: Vault role to use for authenticating + type: string + secretRef: + description: |- + SecretRef is the name of a Kubernetes Secret in the consumer's (VDS/VSS/PKI) namespace + which holds credentials for AWS. Expected keys include `access_key_id`, `secret_access_key`, + `session_token` + type: string + sessionName: + description: The role session name to use when creating a webidentity + provider + type: string + stsEndpoint: + description: The STS endpoint to use; if not set will use the + default + type: string + type: object + gcp: + description: GCP specific auth configuration, requires that Method + be set to `gcp`. + properties: + clusterName: + description: |- + GKE cluster name. Defaults to the cluster-name returned from the operator + pod's local metadata server. + type: string + projectID: + description: |- + GCP project ID. Defaults to the project-id returned from the operator + pod's local metadata server. + type: string + region: + description: |- + GCP Region of the GKE cluster's identity provider. Defaults to the region + returned from the operator pod's local metadata server. + type: string + role: + description: Vault role to use for authenticating + type: string + workloadIdentityServiceAccount: + description: |- + WorkloadIdentityServiceAccount is the name of a Kubernetes service + account (in the same Kubernetes namespace as the Vault*Secret referencing + this resource) which has been configured for workload identity in GKE. + Should be annotated with "iam.gke.io/gcp-service-account". + type: string + type: object + headers: + additionalProperties: + type: string + description: Headers to be included in all Vault requests. + type: object + jwt: + description: JWT specific auth configuration, requires that the Method + be set to `jwt`. + properties: + audiences: + description: TokenAudiences to include in the ServiceAccount token. + items: + type: string + type: array + role: + description: Role to use for authenticating to Vault. + type: string + secretRef: + description: |- + SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which + provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must + have a key named `jwt` which holds the JWT token. + type: string + serviceAccount: + description: |- + ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's + JWT authentication backend. + type: string + tokenExpirationSeconds: + default: 600 + description: TokenExpirationSeconds to set the ServiceAccount + token. + format: int64 + minimum: 600 + type: integer + type: object + kubernetes: + description: Kubernetes specific auth configuration, requires that + the Method be set to `kubernetes`. + properties: + audiences: + description: TokenAudiences to include in the ServiceAccount token. + items: + type: string + type: array + role: + description: Role to use for authenticating to Vault. + type: string + serviceAccount: + description: |- + ServiceAccount to use when authenticating to Vault's + authentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace. + type: string + tokenExpirationSeconds: + default: 600 + description: TokenExpirationSeconds to set the ServiceAccount + token. + format: int64 + minimum: 600 + type: integer + type: object + method: + description: Method to use when authenticating to Vault. + enum: + - kubernetes + - jwt + - appRole + - aws + - gcp + type: string + mount: + description: Mount to use when authenticating to auth method. + type: string + namespace: + description: Namespace to auth to in Vault + type: string + params: + additionalProperties: + type: string + description: Params to use when authenticating to Vault + type: object + storageEncryption: + description: |- + StorageEncryption provides the necessary configuration to encrypt the client storage cache. + This should only be configured when client cache persistence with encryption is enabled. + This is done by passing setting the manager's commandline argument + --client-cache-persistence-model=direct-encrypted. Typically, there should only ever + be one VaultAuth configured with StorageEncryption in the Cluster, and it should have + the label: cacheStorageEncryption=true + properties: + keyName: + description: KeyName to use for encrypt/decrypt operations via + Vault Transit. + type: string + mount: + description: Mount path of the Transit engine in Vault. + type: string + required: + - keyName + - mount + type: object + vaultAuthGlobalRef: + description: VaultAuthGlobalRef. + properties: + allowDefault: + description: |- + AllowDefault when set to true will use the default VaultAuthGlobal resource + as the default if Name is not set. The 'allow-default-globals' option must be + set on the operator's '-global-vault-auth-options' flag + + The default VaultAuthGlobal search is conditional. + When a ref Namespace is set, the search for the default + VaultAuthGlobal resource is constrained to that namespace. + Otherwise, the search order is: + 1. The default VaultAuthGlobal resource in the referring VaultAuth resource's + namespace. + 2. The default VaultAuthGlobal resource in the Operator's namespace. + type: boolean + mergeStrategy: + description: |- + MergeStrategy configures the merge strategy for HTTP headers and parameters + that are included in all Vault authentication requests. + properties: + headers: + description: |- + Headers configures the merge strategy for HTTP headers that are included in + all Vault requests. Choices are `union`, `replace`, or `none`. + + If `union` is set, the headers from the VaultAuthGlobal and VaultAuth + resources are merged. The headers from the VaultAuth always take precedence. + + If `replace` is set, the first set of non-empty headers taken in order from: + VaultAuth, VaultAuthGlobal auth method, VaultGlobal default headers. + + If `none` is set, the headers from the + VaultAuthGlobal resource are ignored and only the headers from the VaultAuth + resource are used. The default is `none`. + enum: + - union + - replace + - none + type: string + params: + description: |- + Params configures the merge strategy for HTTP parameters that are included in + all Vault requests. Choices are `union`, `replace`, or `none`. + + If `union` is set, the parameters from the VaultAuthGlobal and VaultAuth + resources are merged. The parameters from the VaultAuth always take + precedence. + + If `replace` is set, the first set of non-empty parameters taken in order from: + VaultAuth, VaultAuthGlobal auth method, VaultGlobal default parameters. + + If `none` is set, the parameters from the VaultAuthGlobal resource are ignored + and only the parameters from the VaultAuth resource are used. The default is + `none`. + enum: + - union + - replace + - none + type: string + type: object + name: + description: Name of the VaultAuthGlobal resource. + pattern: ^([a-z0-9.-]{1,253})$ + type: string + namespace: + description: |- + Namespace of the VaultAuthGlobal resource. If not provided, the namespace of + the referring VaultAuth resource is used. + pattern: ^([a-z0-9.-]{1,253})$ + type: string + type: object + vaultConnectionRef: + description: |- + VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace, + eg: `namespaceA/vaultConnectionRefB`. If no namespace prefix is provided it will default to + the namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the + Operator will default to the `default` VaultConnection, configured in the operator's namespace. + type: string + type: object + status: + description: VaultAuthStatus defines the observed state of VaultAuth + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + error: + type: string + specHash: + type: string + valid: + description: Valid auth mechanism. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultconnections.yaml b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultconnections.yaml new file mode 100644 index 00000000000..b45d3360a5f --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultconnections.yaml @@ -0,0 +1,92 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + name: vaultconnections.secrets.hashicorp.com +spec: + group: secrets.hashicorp.com + names: + kind: VaultConnection + listKind: VaultConnectionList + plural: vaultconnections + singular: vaultconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: VaultConnection is the Schema for the vaultconnections API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VaultConnectionSpec defines the desired state of VaultConnection + properties: + address: + description: Address of the Vault server + type: string + caCertSecretRef: + description: CACertSecretRef is the name of a Kubernetes secret containing + the trusted PEM encoded CA certificate chain as `ca.crt`. + type: string + headers: + additionalProperties: + type: string + description: Headers to be included in all Vault requests. + type: object + skipTLSVerify: + default: false + description: SkipTLSVerify for TLS connections. + type: boolean + timeout: + description: |- + Timeout applied to all Vault requests for this connection. If not set, the + default timeout from the Vault API client config is used. + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$ + type: string + tlsServerName: + description: TLSServerName to use as the SNI host for TLS connections. + type: string + required: + - address + - skipTLSVerify + type: object + status: + description: VaultConnectionStatus defines the observed state of VaultConnection + properties: + valid: + description: Valid auth mechanism. + type: boolean + required: + - valid + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultdynamicsecrets.yaml b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultdynamicsecrets.yaml new file mode 100644 index 00000000000..4ca1788013a --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultdynamicsecrets.yaml @@ -0,0 +1,415 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + name: vaultdynamicsecrets.secrets.hashicorp.com +spec: + group: secrets.hashicorp.com + names: + kind: VaultDynamicSecret + listKind: VaultDynamicSecretList + plural: vaultdynamicsecrets + singular: vaultdynamicsecret + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: VaultDynamicSecret is the Schema for the vaultdynamicsecrets + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VaultDynamicSecretSpec defines the desired state of VaultDynamicSecret + properties: + allowStaticCreds: + description: |- + AllowStaticCreds should be set when syncing credentials that are periodically + rotated by the Vault server, rather than created upon request. These secrets + are sometimes referred to as "static roles", or "static credentials", with a + request path that contains "static-creds". + type: boolean + destination: + description: Destination provides configuration necessary for syncing + the Vault secret to Kubernetes. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to apply to the Secret. Requires Create + to be set to true. + type: object + create: + default: false + description: |- + Create the destination Secret. + If the Secret already exists this should be set to false. + type: boolean + labels: + additionalProperties: + type: string + description: Labels to apply to the Secret. Requires Create to + be set to true. + type: object + name: + description: Name of the Secret + type: string + overwrite: + default: false + description: |- + Overwrite the destination Secret if it exists and Create is true. This is + useful when migrating to VSO from a previous secret deployment strategy. + type: boolean + transformation: + description: |- + Transformation provides configuration for transforming the secret data before + it is stored in the Destination. + properties: + excludeRaw: + description: |- + ExcludeRaw data from the destination Secret. Exclusion policy can be set + globally by including 'exclude-raw` in the '--global-transformation-options' + command line flag. If set, the command line flag always takes precedence over + this configuration. + type: boolean + excludes: + description: |- + Excludes contains regex patterns used to filter top-level source secret data + fields for exclusion from the final K8s Secret data. These pattern filters are + never applied to templated fields as defined in Templates. They are always + applied before any inclusion patterns. To exclude all source secret data + fields, you can configure the single pattern ".*". + items: + type: string + type: array + includes: + description: |- + Includes contains regex patterns used to filter top-level source secret data + fields for inclusion in the final K8s Secret data. These pattern filters are + never applied to templated fields as defined in Templates. They are always + applied last. + items: + type: string + type: array + templates: + additionalProperties: + description: Template provides templating configuration. + properties: + name: + description: Name of the Template + type: string + text: + description: |- + Text contains the Go text template format. The template + references attributes from the data structure of the source secret. + Refer to https://pkg.go.dev/text/template for more information. + type: string + required: + - text + type: object + description: |- + Templates maps a template name to its Template. Templates are always included + in the rendered K8s Secret, and take precedence over templates defined in a + SecretTransformation. + type: object + transformationRefs: + description: |- + TransformationRefs contain references to template configuration from + SecretTransformation. + items: + description: |- + TransformationRef contains the configuration for accessing templates from an + SecretTransformation resource. TransformationRefs can be shared across all + syncable secret custom resources. + properties: + ignoreExcludes: + description: |- + IgnoreExcludes controls whether to use the SecretTransformation's Excludes + data key filters. + type: boolean + ignoreIncludes: + description: |- + IgnoreIncludes controls whether to use the SecretTransformation's Includes + data key filters. + type: boolean + name: + description: Name of the SecretTransformation resource. + type: string + namespace: + description: Namespace of the SecretTransformation resource. + type: string + templateRefs: + description: |- + TemplateRefs map to a Template found in this TransformationRef. If empty, then + all templates from the SecretTransformation will be rendered to the K8s Secret. + items: + description: |- + TemplateRef points to templating text that is stored in a + SecretTransformation custom resource. + properties: + keyOverride: + description: |- + KeyOverride to the rendered template in the Destination secret. If Key is + empty, then the Key from reference spec will be used. Set this to override the + Key set from the reference spec. + type: string + name: + description: |- + Name of the Template in SecretTransformationSpec.Templates. + the rendered secret data. + type: string + required: + - name + type: object + type: array + required: + - name + type: object + type: array + type: object + type: + description: |- + Type of Kubernetes Secret. Requires Create to be set to true. + Defaults to Opaque. + type: string + required: + - name + type: object + mount: + description: Mount path of the secret's engine in Vault. + type: string + namespace: + description: |- + Namespace of the secrets engine mount in Vault. If not set, the namespace that's + part of VaultAuth resource will be inferred. + type: string + params: + additionalProperties: + type: string + description: |- + Params that can be passed when requesting credentials/secrets. + When Params is set the configured RequestHTTPMethod will be + ignored. See RequestHTTPMethod for more details. + Please consult https://developer.hashicorp.com/vault/docs/secrets if you are + uncertain about what 'params' should/can be set to. + type: object + path: + description: |- + Path in Vault to get the credentials for, and is relative to Mount. + Please consult https://developer.hashicorp.com/vault/docs/secrets if you are + uncertain about what 'path' should be set to. + type: string + refreshAfter: + description: |- + RefreshAfter a period of time for VSO to sync the source secret data, in + duration notation e.g. 30s, 1m, 24h. This value only needs to be set when + syncing from a secret's engine that does not provide a lease TTL in its + response. The value should be within the secret engine's configured ttl or + max_ttl. The source secret's lease duration takes precedence over this + configuration when it is greater than 0. + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$ + type: string + renewalPercent: + default: 67 + description: |- + RenewalPercent is the percent out of 100 of the lease duration when the + lease is renewed. Defaults to 67 percent plus jitter. + maximum: 90 + minimum: 0 + type: integer + requestHTTPMethod: + description: |- + RequestHTTPMethod to use when syncing Secrets from Vault. + Setting a value here is not typically required. + If left unset the Operator will make requests using the GET method. + In the case where Params are specified the Operator will use the PUT method. + Please consult https://developer.hashicorp.com/vault/docs/secrets if you are + uncertain about what method to use. + Of note, the Vault client treats PUT and POST as being equivalent. + The underlying Vault client implementation will always use the PUT method. + enum: + - GET + - POST + - PUT + type: string + revoke: + description: Revoke the existing lease on VDS resource deletion. + type: boolean + rolloutRestartTargets: + description: |- + RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does + not support dynamically reloading a rotated secret. + In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will + trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. + See RolloutRestartTarget for more details. + items: + description: |- + RolloutRestartTarget provides the configuration required to perform a + rollout-restart of the supported resources upon Vault Secret rotation. + The rollout-restart is triggered by patching the target resource's + 'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt' + with a timestamp value of when the trigger was executed. + E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z" + + Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout + properties: + kind: + description: Kind of the resource + enum: + - Deployment + - DaemonSet + - StatefulSet + - argo.Rollout + type: string + name: + description: Name of the resource + type: string + required: + - kind + - name + type: object + type: array + vaultAuthRef: + description: |- + VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, + eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to + the namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator + will default to the `default` VaultAuth, configured in the operator's namespace. + type: string + required: + - destination + - mount + - path + type: object + status: + description: VaultDynamicSecretStatus defines the observed state of VaultDynamicSecret + properties: + lastGeneration: + description: LastGeneration is the Generation of the last reconciled + resource. + format: int64 + type: integer + lastRenewalTime: + description: LastRenewalTime of the last successful secret lease renewal. + format: int64 + type: integer + lastRuntimePodUID: + description: |- + LastRuntimePodUID used for tracking the transition from one Pod to the next. + It is used to mitigate the effects of a Vault lease renewal storm. + type: string + secretLease: + description: SecretLease for the Vault secret. + properties: + duration: + description: LeaseDuration of the Vault secret. + type: integer + id: + description: ID of the Vault secret. + type: string + renewable: + description: Renewable Vault secret lease + type: boolean + requestID: + description: RequestID of the Vault secret request. + type: string + required: + - duration + - id + - renewable + - requestID + type: object + secretMAC: + description: |- + SecretMAC used when deciding whether new Vault secret data should be synced. + + The controller will compare the "new" Vault secret data to this value using HMAC, + if they are different, then the data will be synced to the Destination. + + The SecretMac is also used to detect drift in the Destination Secret's Data. + If drift is detected the data will be synced to the Destination. + SecretMAC will only be stored when VaultDynamicSecretSpec.AllowStaticCreds is true. + type: string + staticCredsMetaData: + description: StaticCredsMetaData contains the static creds response + meta-data + properties: + lastVaultRotation: + description: LastVaultRotation represents the last time Vault + rotated the password + format: int64 + type: integer + rotationPeriod: + description: |- + RotationPeriod is number in seconds between each rotation, effectively a + "time to live". This value is compared to the LastVaultRotation to + determine if a password needs to be rotated + format: int64 + type: integer + rotationSchedule: + description: |- + RotationSchedule is a "cron style" string representing the allowed + schedule for each rotation. + e.g. "1 0 * * *" would rotate at one minute past midnight (00:01) every + day. + type: string + ttl: + description: TTL is the seconds remaining before the next rotation. + format: int64 + type: integer + required: + - lastVaultRotation + - rotationPeriod + - ttl + type: object + vaultClientMeta: + description: |- + VaultClientMeta contains the status of the Vault client and is used during + resource reconciliation. + properties: + cacheKey: + description: CacheKey is the unique key used to identify the client + cache. + type: string + id: + description: |- + ID is the Vault ID of the authenticated client. The ID should never contain + any sensitive information. + type: string + type: object + required: + - lastGeneration + - lastRenewalTime + - secretLease + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultpkisecrets.yaml b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultpkisecrets.yaml new file mode 100644 index 00000000000..52cf19ea57d --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultpkisecrets.yaml @@ -0,0 +1,391 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + name: vaultpkisecrets.secrets.hashicorp.com +spec: + group: secrets.hashicorp.com + names: + kind: VaultPKISecret + listKind: VaultPKISecretList + plural: vaultpkisecrets + singular: vaultpkisecret + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: VaultPKISecret is the Schema for the vaultpkisecrets API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VaultPKISecretSpec defines the desired state of VaultPKISecret + properties: + altNames: + description: |- + AltNames to include in the request + May contain both DNS names and email addresses. + items: + type: string + type: array + clear: + description: Clear the Kubernetes secret when the resource is deleted. + type: boolean + commonName: + description: CommonName to include in the request. + type: string + destination: + description: |- + Destination provides configuration necessary for syncing the Vault secret + to Kubernetes. If the type is set to "kubernetes.io/tls", "tls.key" will + be set to the "private_key" response from Vault, and "tls.crt" will be + set to "certificate" + "ca_chain" from the Vault response ("issuing_ca" + is used when "ca_chain" is empty). The "remove_roots_from_chain=true" + option is used with Vault to exclude the root CA from the Vault response. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to apply to the Secret. Requires Create + to be set to true. + type: object + create: + default: false + description: |- + Create the destination Secret. + If the Secret already exists this should be set to false. + type: boolean + labels: + additionalProperties: + type: string + description: Labels to apply to the Secret. Requires Create to + be set to true. + type: object + name: + description: Name of the Secret + type: string + overwrite: + default: false + description: |- + Overwrite the destination Secret if it exists and Create is true. This is + useful when migrating to VSO from a previous secret deployment strategy. + type: boolean + transformation: + description: |- + Transformation provides configuration for transforming the secret data before + it is stored in the Destination. + properties: + excludeRaw: + description: |- + ExcludeRaw data from the destination Secret. Exclusion policy can be set + globally by including 'exclude-raw` in the '--global-transformation-options' + command line flag. If set, the command line flag always takes precedence over + this configuration. + type: boolean + excludes: + description: |- + Excludes contains regex patterns used to filter top-level source secret data + fields for exclusion from the final K8s Secret data. These pattern filters are + never applied to templated fields as defined in Templates. They are always + applied before any inclusion patterns. To exclude all source secret data + fields, you can configure the single pattern ".*". + items: + type: string + type: array + includes: + description: |- + Includes contains regex patterns used to filter top-level source secret data + fields for inclusion in the final K8s Secret data. These pattern filters are + never applied to templated fields as defined in Templates. They are always + applied last. + items: + type: string + type: array + templates: + additionalProperties: + description: Template provides templating configuration. + properties: + name: + description: Name of the Template + type: string + text: + description: |- + Text contains the Go text template format. The template + references attributes from the data structure of the source secret. + Refer to https://pkg.go.dev/text/template for more information. + type: string + required: + - text + type: object + description: |- + Templates maps a template name to its Template. Templates are always included + in the rendered K8s Secret, and take precedence over templates defined in a + SecretTransformation. + type: object + transformationRefs: + description: |- + TransformationRefs contain references to template configuration from + SecretTransformation. + items: + description: |- + TransformationRef contains the configuration for accessing templates from an + SecretTransformation resource. TransformationRefs can be shared across all + syncable secret custom resources. + properties: + ignoreExcludes: + description: |- + IgnoreExcludes controls whether to use the SecretTransformation's Excludes + data key filters. + type: boolean + ignoreIncludes: + description: |- + IgnoreIncludes controls whether to use the SecretTransformation's Includes + data key filters. + type: boolean + name: + description: Name of the SecretTransformation resource. + type: string + namespace: + description: Namespace of the SecretTransformation resource. + type: string + templateRefs: + description: |- + TemplateRefs map to a Template found in this TransformationRef. If empty, then + all templates from the SecretTransformation will be rendered to the K8s Secret. + items: + description: |- + TemplateRef points to templating text that is stored in a + SecretTransformation custom resource. + properties: + keyOverride: + description: |- + KeyOverride to the rendered template in the Destination secret. If Key is + empty, then the Key from reference spec will be used. Set this to override the + Key set from the reference spec. + type: string + name: + description: |- + Name of the Template in SecretTransformationSpec.Templates. + the rendered secret data. + type: string + required: + - name + type: object + type: array + required: + - name + type: object + type: array + type: object + type: + description: |- + Type of Kubernetes Secret. Requires Create to be set to true. + Defaults to Opaque. + type: string + required: + - name + type: object + excludeCNFromSans: + description: |- + ExcludeCNFromSans from DNS or Email Subject Alternate Names. + Default: false + type: boolean + expiryOffset: + description: |- + ExpiryOffset to use for computing when the certificate should be renewed. + The rotation time will be difference between the expiration and the offset. + Should be in duration notation e.g. 30s, 120s, etc. + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$ + type: string + format: + description: |- + Format for the certificate. Choices: "pem", "der", "pem_bundle". + If "pem_bundle", + any private key and issuing cert will be appended to the certificate pem. + If "der", the value will be base64 encoded. + Default: pem + type: string + ipSans: + description: IPSans to include in the request. + items: + type: string + type: array + issuerRef: + description: |- + IssuerRef reference to an existing PKI issuer, either by Vault-generated + identifier, the literal string default to refer to the currently + configured default issuer, or the name assigned to an issuer. + This parameter is part of the request URL. + type: string + mount: + description: Mount for the secret in Vault + type: string + namespace: + description: |- + Namespace of the secrets engine mount in Vault. If not set, the namespace that's + part of VaultAuth resource will be inferred. + type: string + notAfter: + description: |- + NotAfter field of the certificate with specified date value. + The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ + type: string + otherSans: + description: |- + Requested other SANs, in an array with the format + oid;type:value for each entry. + items: + type: string + type: array + privateKeyFormat: + description: |- + PrivateKeyFormat, generally the default will be controlled by the Format + parameter as either base64-encoded DER or PEM-encoded DER. + However, this can be set to "pkcs8" to have the returned + private key contain base64-encoded pkcs8 or PEM-encoded + pkcs8 instead. + Default: der + type: string + revoke: + description: Revoke the certificate when the resource is deleted. + type: boolean + role: + description: Role in Vault to use when issuing TLS certificates. + type: string + rolloutRestartTargets: + description: |- + RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does + not support dynamically reloading a rotated secret. + In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will + trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. + See RolloutRestartTarget for more details. + items: + description: |- + RolloutRestartTarget provides the configuration required to perform a + rollout-restart of the supported resources upon Vault Secret rotation. + The rollout-restart is triggered by patching the target resource's + 'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt' + with a timestamp value of when the trigger was executed. + E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z" + + Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout + properties: + kind: + description: Kind of the resource + enum: + - Deployment + - DaemonSet + - StatefulSet + - argo.Rollout + type: string + name: + description: Name of the resource + type: string + required: + - kind + - name + type: object + type: array + ttl: + description: |- + TTL for the certificate; sets the expiration date. + If not specified the Vault role's default, + backend default, or system default TTL is used, in that order. + Cannot be larger than the mount's max TTL. + Note: this only has an effect when generating a CA cert or signing a CA cert, + not when generating a CSR for an intermediate CA. + Should be in duration notation e.g. 120s, 2h, etc. + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$ + type: string + uriSans: + description: The requested URI SANs. + items: + type: string + type: array + userIDs: + description: |- + User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the + signed certificate. + items: + type: string + type: array + vaultAuthRef: + description: |- + VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, + eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to + the namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator + will default to the `default` VaultAuth, configured in the operator's namespace. + type: string + required: + - destination + - mount + - role + type: object + status: + description: VaultPKISecretStatus defines the observed state of VaultPKISecret + properties: + error: + type: string + expiration: + format: int64 + type: integer + lastGeneration: + description: LastGeneration is the Generation of the last reconciled + resource. + format: int64 + type: integer + lastRotation: + description: LastLastRotation of the certificate. + format: int64 + type: integer + secretMAC: + description: |- + SecretMAC used when deciding whether new Vault secret data should be synced. + + The controller will compare the "new" Vault secret data to this value using HMAC, + if they are different, then the data will be synced to the Destination. + + The SecretMac is also used to detect drift in the Destination Secret's Data. + If drift is detected the data will be synced to the Destination. + type: string + serialNumber: + type: string + valid: + type: boolean + required: + - error + - lastGeneration + - lastRotation + - valid + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultstaticsecrets.yaml b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultstaticsecrets.yaml new file mode 100644 index 00000000000..7cd87aefa06 --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/secrets.hashicorp.com_vaultstaticsecrets.yaml @@ -0,0 +1,318 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + name: vaultstaticsecrets.secrets.hashicorp.com +spec: + group: secrets.hashicorp.com + names: + kind: VaultStaticSecret + listKind: VaultStaticSecretList + plural: vaultstaticsecrets + singular: vaultstaticsecret + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: VaultStaticSecret is the Schema for the vaultstaticsecrets API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VaultStaticSecretSpec defines the desired state of VaultStaticSecret + properties: + destination: + description: Destination provides configuration necessary for syncing + the Vault secret to Kubernetes. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to apply to the Secret. Requires Create + to be set to true. + type: object + create: + default: false + description: |- + Create the destination Secret. + If the Secret already exists this should be set to false. + type: boolean + labels: + additionalProperties: + type: string + description: Labels to apply to the Secret. Requires Create to + be set to true. + type: object + name: + description: Name of the Secret + type: string + overwrite: + default: false + description: |- + Overwrite the destination Secret if it exists and Create is true. This is + useful when migrating to VSO from a previous secret deployment strategy. + type: boolean + transformation: + description: |- + Transformation provides configuration for transforming the secret data before + it is stored in the Destination. + properties: + excludeRaw: + description: |- + ExcludeRaw data from the destination Secret. Exclusion policy can be set + globally by including 'exclude-raw` in the '--global-transformation-options' + command line flag. If set, the command line flag always takes precedence over + this configuration. + type: boolean + excludes: + description: |- + Excludes contains regex patterns used to filter top-level source secret data + fields for exclusion from the final K8s Secret data. These pattern filters are + never applied to templated fields as defined in Templates. They are always + applied before any inclusion patterns. To exclude all source secret data + fields, you can configure the single pattern ".*". + items: + type: string + type: array + includes: + description: |- + Includes contains regex patterns used to filter top-level source secret data + fields for inclusion in the final K8s Secret data. These pattern filters are + never applied to templated fields as defined in Templates. They are always + applied last. + items: + type: string + type: array + templates: + additionalProperties: + description: Template provides templating configuration. + properties: + name: + description: Name of the Template + type: string + text: + description: |- + Text contains the Go text template format. The template + references attributes from the data structure of the source secret. + Refer to https://pkg.go.dev/text/template for more information. + type: string + required: + - text + type: object + description: |- + Templates maps a template name to its Template. Templates are always included + in the rendered K8s Secret, and take precedence over templates defined in a + SecretTransformation. + type: object + transformationRefs: + description: |- + TransformationRefs contain references to template configuration from + SecretTransformation. + items: + description: |- + TransformationRef contains the configuration for accessing templates from an + SecretTransformation resource. TransformationRefs can be shared across all + syncable secret custom resources. + properties: + ignoreExcludes: + description: |- + IgnoreExcludes controls whether to use the SecretTransformation's Excludes + data key filters. + type: boolean + ignoreIncludes: + description: |- + IgnoreIncludes controls whether to use the SecretTransformation's Includes + data key filters. + type: boolean + name: + description: Name of the SecretTransformation resource. + type: string + namespace: + description: Namespace of the SecretTransformation resource. + type: string + templateRefs: + description: |- + TemplateRefs map to a Template found in this TransformationRef. If empty, then + all templates from the SecretTransformation will be rendered to the K8s Secret. + items: + description: |- + TemplateRef points to templating text that is stored in a + SecretTransformation custom resource. + properties: + keyOverride: + description: |- + KeyOverride to the rendered template in the Destination secret. If Key is + empty, then the Key from reference spec will be used. Set this to override the + Key set from the reference spec. + type: string + name: + description: |- + Name of the Template in SecretTransformationSpec.Templates. + the rendered secret data. + type: string + required: + - name + type: object + type: array + required: + - name + type: object + type: array + type: object + type: + description: |- + Type of Kubernetes Secret. Requires Create to be set to true. + Defaults to Opaque. + type: string + required: + - name + type: object + hmacSecretData: + default: true + description: |- + HMACSecretData determines whether the Operator computes the + HMAC of the Secret's data. The MAC value will be stored in + the resource's Status.SecretMac field, and will be used for drift detection + and during incoming Vault secret comparison. + Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault. + type: boolean + mount: + description: Mount for the secret in Vault + type: string + namespace: + description: |- + Namespace of the secrets engine mount in Vault. If not set, the namespace that's + part of VaultAuth resource will be inferred. + type: string + path: + description: |- + Path of the secret in Vault, corresponds to the `path` parameter for, + kv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret + kv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version + type: string + refreshAfter: + description: RefreshAfter a period of time, in duration notation e.g. + 30s, 1m, 24h + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$ + type: string + rolloutRestartTargets: + description: |- + RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does + not support dynamically reloading a rotated secret. + In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will + trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. + All configured targets wil be ignored if HMACSecretData is set to false. + See RolloutRestartTarget for more details. + items: + description: |- + RolloutRestartTarget provides the configuration required to perform a + rollout-restart of the supported resources upon Vault Secret rotation. + The rollout-restart is triggered by patching the target resource's + 'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt' + with a timestamp value of when the trigger was executed. + E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z" + + Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout + properties: + kind: + description: Kind of the resource + enum: + - Deployment + - DaemonSet + - StatefulSet + - argo.Rollout + type: string + name: + description: Name of the resource + type: string + required: + - kind + - name + type: object + type: array + syncConfig: + description: SyncConfig configures sync behavior from Vault to VSO + properties: + instantUpdates: + description: |- + InstantUpdates is a flag to indicate that event-driven updates are + enabled for this VaultStaticSecret + type: boolean + type: object + type: + description: Type of the Vault static secret + enum: + - kv-v1 + - kv-v2 + type: string + vaultAuthRef: + description: |- + VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace, + eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to the + namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will + default to the `default` VaultAuth, configured in the operator's namespace. + type: string + version: + description: |- + Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter: + https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version + minimum: 0 + type: integer + required: + - destination + - mount + - path + - type + type: object + status: + description: VaultStaticSecretStatus defines the observed state of VaultStaticSecret + properties: + lastGeneration: + description: LastGeneration is the Generation of the last reconciled + resource. + format: int64 + type: integer + secretMAC: + description: |- + SecretMAC used when deciding whether new Vault secret data should be synced. + + The controller will compare the "new" Vault secret data to this value using HMAC, + if they are different, then the data will be synced to the Destination. + + The SecretMac is also used to detect drift in the Destination Secret's Data. + If drift is detected the data will be synced to the Destination. + type: string + required: + - lastGeneration + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-controller-manager-metrics-service_v1_service.yaml b/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-controller-manager-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..130ec05fedd --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-controller-manager-metrics-service_v1_service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + control-plane: controller-manager + name: vault-secrets-operator-controller-manager-metrics-service +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: controller-manager + control-plane: controller-manager +status: + loadBalancer: {} diff --git a/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-manager-config_v1_configmap.yaml b/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-manager-config_v1_configmap.yaml new file mode 100644 index 00000000000..d35e01e893a --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-manager-config_v1_configmap.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +data: + controller_manager_config.yaml: | + # Copyright (c) HashiCorp, Inc. + # SPDX-License-Identifier: BUSL-1.1 + + apiVersion: controller-runtime.sigs.k8s.io/v1beta1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: b0d477c0.hashicorp.com + # leaderElectionReleaseOnCancel defines if the leader should step down volume + # when the Manager ends. This requires the binary to immediately end when the + # Manager is stopped, otherwise, this setting is unsafe. Setting this significantly + # speeds up voluntary leader transitions as the new leader don't have to wait + # LeaseDuration time first. + # In the default scaffold provided, the program ends immediately after + # the manager stops, so would be fine to enable this option. However, + # if you are doing or is intended to do any operation such as perform cleanups + # after the manager stops then its usage might be unsafe. + # leaderElectionReleaseOnCancel: true +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller-manager + name: vault-secrets-operator-manager-config diff --git a/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..501a7b5fc89 --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: controller-manager + name: vault-secrets-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator.clusterserviceversion.yaml b/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator.clusterserviceversion.yaml new file mode 100644 index 00000000000..95b8b2be127 --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/manifests/vault-secrets-operator.clusterserviceversion.yaml @@ -0,0 +1,437 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "secrets.hashicorp.com/v1beta1", + "kind": "VaultConnection", + "metadata": { + "name": "vaultconnection-sample", + "namespace": "tenant-1" + }, + "spec": { + "address": "http://vault.vault.svc.cluster.local:8200" + } + }, + { + "apiVersion": "secrets.hashicorp.com/v1beta1", + "kind": "VaultAuth", + "metadata": { + "name": "vaultauth-sample", + "namespace": "tenant-1" + }, + "spec": { + "vaultConnectionRef": "vaultconnection-sample", + "method": "kubernetes", + "mount": "kubernetes", + "kubernetes": { + "role": "sample", + "serviceAccount": "default" + } + } + }, + { + "apiVersion": "secrets.hashicorp.com/v1beta1", + "kind": "VaultStaticSecret", + "metadata": { + "name": "vaultstaticsecret-sample", + "namespace": "tenant-1" + }, + "spec": { + "vaultAuthRef": "vaultauth-sample", + "mount": "kvv2", + "type": "kv-v2", + "path": "secret", + "refreshAfter": "5s", + "destination": { + "create": true, + "name": "secret1" + } + } + } + ] + capabilities: Seamless Upgrades + categories: Security + containerImage: registry.connect.redhat.com/hashicorp/vault-secrets-operator@sha256:26edb6f5eef0bb086f24ac52402b3ad6c14efe4854346fe62f49edee41b143b5 + createdAt: "2024-10-08T23:40:34Z" + description: The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets. + features.operators.openshift.io/cnf: "false" + features.operators.openshift.io/cni: "false" + features.operators.openshift.io/csi: "false" + features.operators.openshift.io/disconnected: "true" + features.operators.openshift.io/fips-compliant: "false" + features.operators.openshift.io/proxy-aware: "true" + features.operators.openshift.io/tls-profiles: "false" + features.operators.openshift.io/token-auth-aws: "false" + features.operators.openshift.io/token-auth-azure: "false" + features.operators.openshift.io/token-auth-gcp: "false" + operators.operatorframework.io/builder: operator-sdk-v1.33.0 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 + repository: https://github.com/hashicorp/vault-secrets-operator + support: HashiCorp + name: vault-secrets-operator.v0.9.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: HCPAuth is the Schema for the hcpauths API + displayName: HCPAuth + kind: HCPAuth + name: hcpauths.secrets.hashicorp.com + version: v1beta1 + - description: HCPVaultSecretsApp is the Schema for the hcpvaultsecretsapps API + displayName: HCPVault Secrets App + kind: HCPVaultSecretsApp + name: hcpvaultsecretsapps.secrets.hashicorp.com + version: v1beta1 + - description: SecretTransformation is the Schema for the secrettransformations API + displayName: Secret Transformation + kind: SecretTransformation + name: secrettransformations.secrets.hashicorp.com + version: v1beta1 + - description: VaultAuthGlobal is the Schema for the vaultauthglobals API + displayName: Vault Auth Global + kind: VaultAuthGlobal + name: vaultauthglobals.secrets.hashicorp.com + version: v1beta1 + - description: VaultAuth is the Schema for the vaultauths API + displayName: Vault Auth + kind: VaultAuth + name: vaultauths.secrets.hashicorp.com + version: v1beta1 + - description: VaultConnection is the Schema for the vaultconnections API + displayName: Vault Connection + kind: VaultConnection + name: vaultconnections.secrets.hashicorp.com + version: v1beta1 + - description: VaultDynamicSecret is the Schema for the vaultdynamicsecrets API + displayName: Vault Dynamic Secret + kind: VaultDynamicSecret + name: vaultdynamicsecrets.secrets.hashicorp.com + version: v1beta1 + - description: VaultPKISecret is the Schema for the vaultpkisecrets API + displayName: Vault PKISecret + kind: VaultPKISecret + name: vaultpkisecrets.secrets.hashicorp.com + version: v1beta1 + - description: VaultStaticSecret is the Schema for the vaultstaticsecrets API + displayName: Vault Static Secret + kind: VaultStaticSecret + name: vaultstaticsecrets.secrets.hashicorp.com + version: v1beta1 + description: |- + The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets + natively from Kubernetes Secrets. + + ## Overview + + The Vault Secrets Operator operates by watching for changes to its supported set of Custom Resource Definitions (CRD). + Each CRD provides the specification required to allow the *Operator* to synchronize a Vault Secrets to a Kubernetes Secret. + The *Operator* writes the *source* Vault secret data directly to the *destination* Kubernetes Secret, ensuring that any + changes made to the *source* are replicated to the *destination* over its lifetime. In this way, an application only needs + to have access to the *destination* secret in order to make use of the secret data contained within. + + See the developer docs for more info [here](https://developer.hashicorp.com/vault/docs/platform/k8s/vso), including + [examples](https://developer.hashicorp.com/vault/docs/platform/k8s/vso/examples) and a + [tutorial](https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator) + for getting started. + displayName: Vault Secrets Operator + icon: + - base64data: PHN2ZyBpZD0iTE9HT1MiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgdmlld0JveD0iMCAwIDE4MCAyNTgiPjxwYXRoIGQ9Ik02Mi4xNSwxOTguMTdoNi43Nkw1OC42NCwyMzIuNTZINDlMMzguNzYsMTk4LjE3aDYuNzZsOC4zMiwyOC42NloiLz48cGF0aCBkPSJNODcuNywyMzIuNTZIODIuNTRsLS40Ni0xLjcxYTEzLjc2LDEzLjc2LDAsMCwxLTcuNDksMi4yMmMtNC41OSwwLTYuNTYtMy4xNS02LjU2LTcuNDgsMC01LjExLDIuMjItNy4wOCw3LjMzLTcuMDhoNnYtMi42M2MwLTIuNzktLjc3LTMuNzctNC44LTMuNzdhMzQuNzgsMzQuNzgsMCwwLDAtNywuNzhsLS43Ny00LjhhMzIuNDYsMzIuNDYsMCwwLDEsOC42Mi0xLjE5YzcuOSwwLDEwLjIyLDIuNzksMTAuMjIsOS4wOVptLTYuMy05LjVINzYuNzZjLTIuMDcsMC0yLjYzLjU3LTIuNjMsMi40OCwwLDEuNzUuNTYsMi41MywyLjUzLDIuNTNhOS44OSw5Ljg5LDAsMCwwLDQuNzQtMS4yOVoiLz48cGF0aCBkPSJNOTcuNjIsMjA3LjQxVjIyNWMwLDEuMzQuNTYsMiwyLDJhMTcuMzksMTcuMzksMCwwLDAsNi41Ni0yLjEyVjIwNy40MWg2LjI5djI1LjE1aC00LjhsLS42Mi0yLjEyQTI1LjE0LDI1LjE0LDAsMCwxLDk3LDIzMy4wN2MtNC4xOSwwLTUuNjgtMi45NC01LjY4LTcuNDNWMjA3LjQxWiIvPjxwYXRoIGQ9Ik0xMTUuODQsMjMyLjU2VjE5Ny4xNGw2LjMtLjg4djM2LjNaIi8+PHBhdGggZD0iTTE0MC45MywyMzIuMDlhMTcuMzksMTcuMzksMCwwLDEtNS41MywxYy00LjU5LDAtNi45MS0yLjE2LTYuOTEtNi42NnYtMTRoLTMuNzd2LTVoMy43N3YtNi4yNGw2LjMtLjg4djcuMTJoNi40NWwtLjQxLDVoLTZ2MTMuMTdhMiwyLDAsMCwwLDIuMjcsMi4yMiwxMi4xNywxMi4xNywwLDAsMCwzLjE1LS41MloiLz48cGF0aCBkPSJNNDUuNDYsMTg5Ljc0di00LjgzSDQxLjA1djQuODNIMzguNzlWMTc4LjE1aDIuMjZWMTgzaDQuNDF2LTQuODZoMi4yNnYxMS41OVptMTAuNTIsMEg1NC4xOWwtLjE2LS41N2E0Ljg1LDQuODUsMCwwLDEtMi41OS43NGMtMS41OSwwLTIuMjctMS0yLjI3LTIuNDksMC0xLjcuNzctMi4zNSwyLjU0LTIuMzVINTMuOHYtLjg4YzAtLjkyLS4yNy0xLjI1LTEuNjYtMS4yNWExMi4yOCwxMi4yOCwwLDAsMC0yLjQyLjI2bC0uMjctMS42YTExLjkzLDExLjkzLDAsMCwxLDMtLjRjMi43NCwwLDMuNTQuOTMsMy41NCwzWm0tMi4xOC0zLjE2SDUyLjE5Yy0uNzEsMC0uOTEuMTktLjkxLjgzcy4yLjg0Ljg3Ljg0YTMuNTgsMy41OCwwLDAsMCwxLjY1LS40M1ptNi43NSwzLjMzYTEwLjQxLDEwLjQxLDAsMCwxLTMtLjQ4bC4zLTEuNmExMCwxMCwwLDAsMCwyLjYuMzdjMSwwLDEuMTEtLjIxLDEuMTEtLjg1cy0uMTEtLjc3LTEuNTItMS4xYy0yLjEzLS40OS0yLjM4LTEtMi4zOC0yLjYycy43Ny0yLjQzLDMuMjUtMi40M2ExMS44LDExLjgsMCwwLDEsMi42MS4zbC0uMjEsMS42NmExNiwxNiwwLDAsMC0yLjQtLjI0Yy0uOTUsMC0xLjExLjIxLTEuMTEuNzIsMCwuNjcuMDYuNzIsMS4yNCwxLDIuNDMuNjIsMi42Ni45MiwyLjY2LDIuNjRTNjMuMTgsMTg5LjkxLDYwLjU1LDE4OS45MVptMTAtLjE3VjE4My45YzAtLjQ1LS4yLS42Ny0uNy0uNjdhNi4wNyw2LjA3LDAsMCwwLTIuMjcuNzF2NS44SDY1LjM5VjE3OGwyLjE5LjMzVjE4MmE3LjkyLDcuOTIsMCwwLDEsMy4xOC0uODFjMS40NSwwLDIsMSwyLDIuNDh2Ni4wNlptNC05LjU1di0yaDIuMTh2MlptMCw5LjU1di04LjM2aDIuMTh2OC4zNlptMy45My04LjNjMC0yLjA5LDEuMjctMy4zMSw0LjI0LTMuMzFhMTQsMTQsMCwwLDEsMy4yMy4zOGwtLjI1LDEuODdhMTguMzYsMTguMzYsMCwwLDAtMi45MS0uMjljLTEuNTYsMC0yLjA2LjUxLTIuMDYsMS43M3Y0LjRjMCwxLjIyLjUsMS43MywyLjA2LDEuNzNhMTguMzYsMTguMzYsMCwwLDAsMi45MS0uMjlsLjI1LDEuODhhMTQsMTQsMCwwLDEtMy4yMy4zN2MtMywwLTQuMjQtMS4yMi00LjI0LTMuMzFabTEyLjMsOC40N2MtMywwLTMuOC0xLjU4LTMuOC0zLjNWMTg0LjVjMC0xLjcyLjgxLTMuMywzLjgtMy4zczMuNzksMS41OCwzLjc5LDMuM3YyLjExQzk0LjU4LDE4OC4zMyw5My43NywxODkuOTEsOTAuNzksMTg5LjkxWm0wLTYuOTJjLTEuMTcsMC0xLjYxLjUtMS42MSwxLjQ0djIuMjVjMCwuOTUuNDQsMS40NSwxLjYxLDEuNDVzMS42MS0uNSwxLjYxLTEuNDV2LTIuMjVDOTIuNCwxODMuNDksOTIsMTgzLDkwLjc5LDE4M1ptOS45My4xNGExNi44NywxNi44NywwLDAsMC0yLjMsMS4yMnY1LjM5SDk2LjIzdi04LjM2aDEuODVsLjE0LjkyYTEwLDEwLDAsMCwxLDIuMjktMS4xWm04LjczLDMuODNjMCwxLjg1LS44NiwyLjk1LTIuODgsMi45NWExMi4zNCwxMi4zNCwwLDAsMS0yLjMzLS4yNHYzLjQybC0yLjE4LjMzdi0xMmgxLjc0bC4yMS43YTQuNzIsNC43MiwwLDAsMSwyLjc1LS44OGMxLjc2LDAsMi42OSwxLDIuNjksMi45MVptLTUuMjEuOTRhMTAuMDksMTAuMDksMCwwLDAsMS45My4yM2MuNzksMCwxLjEtLjM2LDEuMS0xLjEydi0yLjk1YzAtLjY5LS4yNy0xLjA3LTEuMDgtMS4wN2EzLjE0LDMuMTQsMCwwLDAtMiwuNzZaIi8+PHBhdGggZD0iTTI2LjI1LDI3LjgxLDg5Ljc3LDE1MS40NGw2NC0xMjMuNjNaTTc5Ljg5LDc2Ljg4SDY5Ljc3VjY2Ljc3SDc5Ljg5Wm0wLTE1LjE3SDY5Ljc3VjUxLjU5SDc5Ljg5Wk05NS4wNyw5Mi4wNkg4NVY4MS45NEg5NS4wN1ptMC0xNS4xOEg4NVY2Ni43N0g5NS4wN1ptMC0xNS4xN0g4NVY1MS41OUg5NS4wN1ptMTUuMDksMTUuMTdIMTAwVjY2Ljc3aDEwLjEyWk0xMDAsNjEuNzFWNTEuNTloMTAuMTJWNjEuNzFaIi8+PC9zdmc+ + mediatype: image/svg+xml + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + - serviceaccounts + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - list + - patch + - watch + - apiGroups: + - argoproj.io + resources: + - rollouts + verbs: + - get + - list + - patch + - watch + - apiGroups: + - secrets.hashicorp.com + resources: + - hcpauths + - hcpvaultsecretsapps + - secrettransformations + - vaultauthglobals + - vaultauths + - vaultconnections + - vaultdynamicsecrets + - vaultpkisecrets + - vaultstaticsecrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - secrets.hashicorp.com + resources: + - hcpauths/finalizers + - hcpvaultsecretsapps/finalizers + - secrettransformations/finalizers + - vaultauthglobals/finalizers + - vaultauths/finalizers + - vaultconnections/finalizers + - vaultdynamicsecrets/finalizers + - vaultpkisecrets/finalizers + - vaultstaticsecrets/finalizers + verbs: + - update + - apiGroups: + - secrets.hashicorp.com + resources: + - hcpauths/status + - hcpvaultsecretsapps/status + - secrettransformations/status + - vaultauthglobals/status + - vaultauths/status + - vaultconnections/status + - vaultdynamicsecrets/status + - vaultpkisecrets/status + - vaultstaticsecrets/status + verbs: + - get + - patch + - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + serviceAccountName: vault-secrets-operator-controller-manager + deployments: + - label: + app.kubernetes.io/component: controller-manager + control-plane: controller-manager + name: vault-secrets-operator-controller-manager + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: controller-manager + control-plane: controller-manager + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app.kubernetes.io/component: controller-manager + control-plane: controller-manager + spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /vault-secrets-operator + env: + - name: OPERATOR_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: registry.connect.redhat.com/hashicorp/vault-secrets-operator@sha256:26edb6f5eef0bb086f24ac52402b3ad6c14efe4854346fe62f49edee41b143b5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 10m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /var/run/podinfo + name: podinfo + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:f288292071ec742e0c420cc19b8abe0ab5d95c447f01ce800bf5bf434270b616 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: vault-secrets-operator-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.name + path: name + - fieldRef: + fieldPath: metadata.uid + path: uid + name: podinfo + permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: vault-secrets-operator-controller-manager + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - vault + - security + - secrets + links: + - name: Vault Secrets Operator + url: https://github.com/hashicorp/vault-secrets-operator + - name: Documentation + url: https://developer.hashicorp.com/vault/docs/platform/k8s/vso + maintainers: + - email: support@hashicorp.com + name: HashiCorp Support + maturity: stable + provider: + name: HashiCorp + url: https://www.hashicorp.com/ + relatedImages: + - image: registry.connect.redhat.com/hashicorp/vault-secrets-operator@sha256:26edb6f5eef0bb086f24ac52402b3ad6c14efe4854346fe62f49edee41b143b5 + name: manager + - image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:f288292071ec742e0c420cc19b8abe0ab5d95c447f01ce800bf5bf434270b616 + name: kube-rbac-proxy + version: 0.9.0 + replaces: vault-secrets-operator.v0.8.1 diff --git a/operators/vault-secrets-operator/0.9.0/metadata/annotations.yaml b/operators/vault-secrets-operator/0.9.0/metadata/annotations.yaml new file mode 100644 index 00000000000..393f505bd11 --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/metadata/annotations.yaml @@ -0,0 +1,18 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: vault-secrets-operator + operators.operatorframework.io.bundle.channels.v1: stable + operators.operatorframework.io.bundle.channel.default.v1: stable + operators.operatorframework.io.metrics.builder: operator-sdk-v1.33.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ + + # OpenShift minimum version + com.redhat.openshift.versions: v4.10 diff --git a/operators/vault-secrets-operator/0.9.0/tests/scorecard/config.yaml b/operators/vault-secrets-operator/0.9.0/tests/scorecard/config.yaml new file mode 100644 index 00000000000..c4fd10b0661 --- /dev/null +++ b/operators/vault-secrets-operator/0.9.0/tests/scorecard/config.yaml @@ -0,0 +1,70 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.22.0 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.22.0 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.22.0 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.22.0 + labels: + suite: olm + test: olm-crds-have-resources-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.22.0 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.22.0 + labels: + suite: olm + test: olm-status-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}