From efc0594352f0a207ac32c15e854a5a094c7de65f Mon Sep 17 00:00:00 2001 From: raffaelespazzoli Date: Mon, 4 Dec 2023 13:14:27 -0500 Subject: [PATCH] operator vault-config-operator (0.8.25) --- .../vault-config-operator/0.8.25/Dockerfile | 21 + .../redhatcop.redhat.io_authenginemounts.yaml | 301 ++ ...redhat.io_databasesecretengineconfigs.yaml | 397 +++ ...p.redhat.io_databasesecretengineroles.yaml | 276 ++ ...at.io_databasesecretenginestaticroles.yaml | 281 ++ ...p.redhat.io_githubsecretengineconfigs.yaml | 248 ++ ...cop.redhat.io_githubsecretengineroles.yaml | 255 ++ .../redhatcop.redhat.io_groupaliases.yaml | 217 ++ .../manifests/redhatcop.redhat.io_groups.yaml | 245 ++ ...op.redhat.io_jwtoidcauthengineconfigs.yaml | 385 +++ ...tcop.redhat.io_jwtoidcauthengineroles.yaml | 393 +++ ...redhat.io_kubernetesauthengineconfigs.yaml | 269 ++ ...p.redhat.io_kubernetesauthengineroles.yaml | 379 +++ ...dhat.io_kubernetessecretengineconfigs.yaml | 321 ++ ...redhat.io_kubernetessecretengineroles.yaml | 358 +++ ...atcop.redhat.io_ldapauthengineconfigs.yaml | 531 ++++ ...hatcop.redhat.io_ldapauthenginegroups.yaml | 221 ++ .../redhatcop.redhat.io_passwordpolicies.yaml | 215 ++ ...tcop.redhat.io_pkisecretengineconfigs.yaml | 418 +++ ...hatcop.redhat.io_pkisecretengineroles.yaml | 472 +++ .../redhatcop.redhat.io_policies.yaml | 223 ++ ...cop.redhat.io_quaysecretengineconfigs.yaml | 318 ++ ...atcop.redhat.io_quaysecretengineroles.yaml | 266 ++ ...redhat.io_quaysecretenginestaticroles.yaml | 261 ++ ...redhat.io_rabbitmqsecretengineconfigs.yaml | 341 +++ ...p.redhat.io_rabbitmqsecretengineroles.yaml | 282 ++ .../redhatcop.redhat.io_randomsecrets.yaml | 264 ++ ...edhatcop.redhat.io_secretenginemounts.yaml | 306 ++ .../redhatcop.redhat.io_vaultsecrets.yaml | 321 ++ ...nitoring.coreos.com_v1_servicemonitor.yaml | 22 + ...er-manager-metrics-service_v1_service.yaml | 19 + ...-operator-manager-config_v1_configmap.yaml | 17 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 10 + ...k8s_rbac.authorization.k8s.io_v1_role.yaml | 16 + ...c.authorization.k8s.io_v1_rolebinding.yaml | 13 + ...g-operator-webhook-service_v1_service.yaml | 14 + ...config-operator.clusterserviceversion.yaml | 2708 +++++++++++++++++ .../0.8.25/metadata/annotations.yaml | 15 + .../0.8.25/tests/scorecard/config.yaml | 70 + 39 files changed, 11689 insertions(+) create mode 100644 operators/vault-config-operator/0.8.25/Dockerfile create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_authenginemounts.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretengineconfigs.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretengineroles.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretenginestaticroles.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_githubsecretengineconfigs.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_githubsecretengineroles.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_groupaliases.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_groups.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_jwtoidcauthengineconfigs.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_jwtoidcauthengineroles.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetesauthengineconfigs.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetesauthengineroles.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetessecretengineconfigs.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetessecretengineroles.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_ldapauthengineconfigs.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_ldapauthenginegroups.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_passwordpolicies.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_pkisecretengineconfigs.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_pkisecretengineroles.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_policies.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretengineconfigs.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretengineroles.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretenginestaticroles.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_rabbitmqsecretengineconfigs.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_rabbitmqsecretengineroles.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_randomsecrets.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_secretenginemounts.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_vaultsecrets.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/vault-config-operator-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/vault-config-operator-controller-manager-metrics-service_v1_service.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/vault-config-operator-manager-config_v1_configmap.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/vault-config-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/vault-config-operator-prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/vault-config-operator-prometheus-k8s_rbac.authorization.k8s.io_v1_rolebinding.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/vault-config-operator-webhook-service_v1_service.yaml create mode 100644 operators/vault-config-operator/0.8.25/manifests/vault-config-operator.clusterserviceversion.yaml create mode 100644 operators/vault-config-operator/0.8.25/metadata/annotations.yaml create mode 100644 operators/vault-config-operator/0.8.25/tests/scorecard/config.yaml diff --git a/operators/vault-config-operator/0.8.25/Dockerfile b/operators/vault-config-operator/0.8.25/Dockerfile new file mode 100644 index 00000000000..11509d5bad3 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/Dockerfile @@ -0,0 +1,21 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=vault-config-operator +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.25.3 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY manifests /manifests/ +COPY metadata /metadata/ +COPY tests/scorecard /tests/scorecard/ diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_authenginemounts.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_authenginemounts.yaml new file mode 100644 index 00000000000..68f586427a7 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_authenginemounts.yaml @@ -0,0 +1,301 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: authenginemounts.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: AuthEngineMount + listKind: AuthEngineMountList + plural: authenginemounts + singular: authenginemount + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AuthEngineMount is the Schema for the authenginemounts API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AuthEngineMountSpec defines the desired state of AuthEngineMount + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + config: + description: Config Specifies configuration options for this auth + method. + properties: + allowedResponseHeaders: + description: AllowedResponseHeaders list of headers to whitelist, + allowing a plugin to include them in the response. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + auditNonHMACRequestKeys: + description: AuditNonHMACRequestKeys list of keys that will not + be HMAC'd by audit devices in the request data object. kubebuilder:validation:UniqueItems:=true + items: + type: string + type: array + x-kubernetes-list-type: set + auditNonHMACResponseKeys: + description: AuditNonHMACResponseKeys list of keys that will not + be HMAC'd by audit devices in the response data object. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + defaultLeaseTTL: + description: DefaultLeaseTTL The default lease duration, specified + as a string duration like "5s" or "30m". + type: string + description: + description: Description another description... + type: string + listingVisibility: + default: hidden + description: ListingVisibility Specifies whether to show this + mount in the UI-specific listing endpoint. Valid values are + "unauth" or "hidden". If not set, behaves like "hidden" + enum: + - unauth + - hidden + type: string + maxLeaseTTL: + description: MaxLeaseTTL The maximum lease duration, specified + as a string duration like "5s" or "30m". + type: string + options: + additionalProperties: + type: string + description: Options undocumented + type: object + x-kubernetes-map-type: granular + passthroughRequestHeaders: + description: PassthroughRequestHeaders list of headers to whitelist + and pass from the request to the plugin. kubebuilder:validation:UniqueItems:=true + items: + type: string + type: array + x-kubernetes-list-type: set + tokenType: + description: TokenType undocumented + type: string + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + description: + description: Description Specifies a human-friendly description of + the auth method. + type: string + local: + description: Local Specifies if the auth method is local only. Local + auth methods are not replicated nor (if a secondary) removed by + replication. Logins via local auth methods do not make use of identity, + i.e. no entity or groups will be attached to the token. + type: boolean + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + path: + description: Path at which this auth engine will be mounted The final + path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path /sys/auth/{[spec.authentication.namespace]}/{spec.path}/{metadata.name}. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + sealwrap: + description: SealWrap Enable seal wrapping for the mount, causing + values stored by the mount to be wrapped by the seal's encryption + capability. + type: boolean + type: + description: Type Specifies the name of the authentication method + type, such as "github" or "token". + type: string + type: object + status: + description: AuthEngineMountStatus defines the observed state of AuthEngineMount + properties: + accessor: + type: string + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretengineconfigs.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretengineconfigs.yaml new file mode 100644 index 00000000000..d969987c4fd --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretengineconfigs.yaml @@ -0,0 +1,397 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: databasesecretengineconfigs.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: DatabaseSecretEngineConfig + listKind: DatabaseSecretEngineConfigList + plural: databasesecretengineconfigs + singular: databasesecretengineconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: DatabaseSecretEngineConfig is the Schema for the databasesecretengineconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DatabaseSecretEngineConfigSpec defines the desired state + of DatabaseSecretEngineConfig + properties: + allowedRoles: + default: + - '*' + description: AllowedRoles List of the roles allowed to use this connection. + Defaults to empty (no roles), if contains a "*" any role can use + this connection. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + connectionURL: + description: ConnectionURL Specifies the connection string used to + connect to the database. Some plugins use url rather than connection_url. + This allows for simple templating of the username and password of + the root user. Typically, this is done by including a "{{"username"}}", + "{{"name"}}", and/or "{{"password"}}" field within the string. These + fields are typically be replaced with the values in the username + and password fields. + type: string + databaseSpecificConfig: + additionalProperties: + type: string + description: DatabaseSpecificConfig this are the configuration specific + to each database type + type: object + x-kubernetes-map-type: granular + disableEscaping: + description: DisableEscaping Determines whether special characters + in the username and password fields will be escaped. Useful for + alternate connection string formats like ADO. More information regarding + this parameter can be found on the databases secrets engine docs. + Defaults to false + type: boolean + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + passwordPolicy: + description: 'PasswordPolicy The name of the password policy to use + when generating passwords for this database. If not specified, this + will use a default policy defined as: 20 characters with at least + 1 uppercase, 1 lowercase, 1 number, and 1 dash character.' + type: string + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + pluginName: + description: PluginName Specifies the name of the plugin to use for + this connection. + type: string + pluginVersion: + description: PluginVersion Specifies the semantic version of the plugin + to use for this connection. + type: string + rootCredentials: + description: RootCredentials specifies how to retrieve the credentials + for this DatabaseEngine connection. + properties: + passwordKey: + default: password + description: PasswordKey key to be used when retrieving the password, + required with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + randomSecret: + description: 'RandomSecret retrieves the credentials from the + Vault secret corresponding to this RandomSecret. This will map + the "username" and "password" keys of the secret to the username + and password of this config. All other keys will be ignored. + If the RandomSecret is refreshed the operator retrieves the + new secret from Vault and updates this configuration. Only one + of RootCredentialsFromVaultSecret or RootCredentialsFromSecret + or RootCredentialsFromRandomSecret can be specified. When using + randomSecret a username must be specified in the spec.username + password: Specifies the password to use when connecting with + the username. This value will not be returned by Vault when + performing a read upon the configuration. This is typically + used in the connection_url field via the templating directive + "{{"password"}}"".' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + secret: + description: 'Secret retrieves the credentials from a Kubernetes + secret. The secret must be of basicauth type (https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). + This will map the "username" and "password" keys of the secret + to the username and password of this config. If the kubernetes + secret is updated, this configuration will also be updated. + All other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + usernameKey: + default: username + description: UsernameKey key to be used when retrieving the username, + optional with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + vaultSecret: + description: 'VaultSecret retrieves the credentials from a Vault + secret. This will map the "username" and "password" keys of + the secret to the username and password of this config. All + other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + path: + description: Path is the path to the secret + type: string + type: object + type: object + rootPasswordRotation: + properties: + enable: + description: Enabled whether the toot password should be rotated + with the rotation statement. If set to true the root password + will be rotated immediately. + type: boolean + rotationPeriod: + description: RotationPeriod if this value is set, the root password + will be rotated approximately with teh requested frequency. + type: string + type: object + rootRotationStatements: + description: RootRotationStatements Specifies the database statements + to be executed to rotate the root user's credentials. See the plugin's + API page for more information on support and formatting for this + parameter. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + username: + description: Username Specifies the name of the user to use as the + "root" user when connecting to the database. This "root" user is + used to create/update/delete users managed by these plugins, so + you will need to ensure that this user has permissions to manipulate + users appropriate to the database. This is typically used in the + connection_url field via the templating directive "{{"username"}}" + or "{{"name"}}" If username is provided it takes precedence over + the username retrieved from the referenced secrets + type: string + verifyConnection: + description: VerifyConnection Specifies if the connection is verified + during initial configuration. Defaults to true. + type: boolean + type: object + status: + description: DatabaseSecretEngineConfigStatus defines the observed state + of DatabaseSecretEngineConfig + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastRootPasswordRotation: + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretengineroles.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretengineroles.yaml new file mode 100644 index 00000000000..6ec37ea60ab --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretengineroles.yaml @@ -0,0 +1,276 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: databasesecretengineroles.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: DatabaseSecretEngineRole + listKind: DatabaseSecretEngineRoleList + plural: databasesecretengineroles + singular: databasesecretenginerole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: DatabaseSecretEngineRole is the Schema for the databasesecretengineroles + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DatabaseSecretEngineRoleSpec defines the desired state of + DatabaseSecretEngineRole + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + creationStatements: + description: CreationStatements Specifies the database statements + executed to create and configure a user. See the plugin's API page + for more information on support and formatting for this parameter. + kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + dBName: + description: DBName The name of the database connection to use for + this role. + type: string + defaultTTL: + default: 0s + description: DeafulTTL Specifies the TTL for the leases associated + with this role. Accepts time suffixed strings ("1h") or an integer + number of seconds. Defaults to system/engine default TTL time. + type: string + maxTTL: + default: 0s + description: MaxTTL Specifies the maximum TTL for the leases associated + with this role. Accepts time suffixed strings ("1h") or an integer + number of seconds. Defaults to system/mount default TTL time; this + value is allowed to be less than the mount max TTL (or, if not set, + the system max TTL), but it is not allowed to be longer. See also + The TTL General Case. + type: string + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + path: + description: Path at which to create the role. The final path in Vault + will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + renewStatements: + description: RenewStatements Specifies the database statements to + be executed to renew a user. Not every plugin type will support + this functionality. See the plugin's API page for more information + on support and formatting for this parameter. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + revocationStatements: + description: RevocationStatements Specifies the database statements + to be executed to revoke a user. See the plugin's API page for more + information on support and formatting for this parameter. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + rollbackStatements: + description: RollbackStatements Specifies the database statements + to be executed to rollback a create operation in the event of an + error. Not every plugin type will support this functionality. See + the plugin's API page for more information on support and formatting + for this parameter. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + status: + description: DatabaseSecretEngineRoleStatus defines the observed state + of DatabaseSecretEngineRole + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretenginestaticroles.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretenginestaticroles.yaml new file mode 100644 index 00000000000..bee0fd46bba --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_databasesecretenginestaticroles.yaml @@ -0,0 +1,281 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: databasesecretenginestaticroles.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: DatabaseSecretEngineStaticRole + listKind: DatabaseSecretEngineStaticRoleList + plural: databasesecretenginestaticroles + singular: databasesecretenginestaticrole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: DatabaseSecretEngineStaticRole is the Schema for the databasesecretenginestaticroles + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DatabaseSecretEngineStaticRoleSpec defines the desired state + of DatabaseSecretEngineStaticRole + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + credentialType: + description: 'CredentialType Specifies the type of credential that + will be generated for the role. Options include: password, rsa_private_key. + See the plugin''s API page for credential types supported by individual + databases.' + enum: + - password + - rsa_private_key + type: string + dBName: + description: DBName The name of the database connection to use for + this role. + type: string + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + passwordCredentialConfig: + description: PasswordCredentialConfig specifies the configuraiton + when the password credential type is chosen. + properties: + passwordPolicy: + description: PasswordPolicy The policy used for password generation. + If not provided, defaults to the password policy of the database + configuration + type: string + type: object + path: + description: Path at which to create the role. The final path in Vault + will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + rotationPeriod: + description: RotationPeriod Specifies the amount of time Vault should + wait before rotating the password. The minimum is 5 seconds. + minimum: 5 + type: integer + rotationStatements: + description: RotationStatements Specifies the database statements + to be executed to rotate the password for the configured database + user. Not every plugin type will support this functionality. See + the plugin's API page for more information on support and formatting + for this parameter. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + rsaPrivateKeyCredentialConfig: + properties: + format: + description: 'Format The output format of the generated private + key credential. The private key will be returned from the API + in PEM encoding. Options include: pkcs8' + enum: + - pkcs8 + type: string + keyBits: + description: 'KeyBits The bit size of the RSA key to generate. + Options include: 2048, 3072, 4096.' + enum: + - 2048 + - 3072 + - 4096 + type: integer + type: object + username: + description: Username Specifies the database username that this Vault + role corresponds to. + type: string + type: object + status: + description: DatabaseSecretEngineStaticRoleStatus defines the observed + state of DatabaseSecretEngineStaticRole + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_githubsecretengineconfigs.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_githubsecretengineconfigs.yaml new file mode 100644 index 00000000000..f543a3b9288 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_githubsecretengineconfigs.yaml @@ -0,0 +1,248 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: githubsecretengineconfigs.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: GitHubSecretEngineConfig + listKind: GitHubSecretEngineConfigList + plural: githubsecretengineconfigs + singular: githubsecretengineconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GitHubSecretEngineConfig is the Schema for the githubsecretengineconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GitHubSecretEngineConfigSpec defines the desired state of + GitHubSecretEngineConfig + properties: + applicationID: + description: ApplicationID the Application ID of the GitHub App. + format: int64 + type: integer + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + gitHubAPIBaseURL: + default: https://api.github.com + description: GitHubAPIBaseURL the base URL for API requests (defaults + to the public GitHub API). + type: string + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/{spec.path}/config. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + sSHKeyReference: + description: SSHKeyReference allows ofr options to retrieve the ssh + key. For security reasons it is never displayed. + properties: + secret: + description: Secret retrieves the ssh key from a Kubernetes secret. + The secret must be of ssh type (https://kubernetes.io/docs/concepts/configuration/secret/#ssh-authentication-secrets). + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + vaultSecret: + description: VaultSecret retrieves the sshkey from a Vault secret. + The sshkey will be retrieve at the key "key" (pun intented). + properties: + path: + description: Path is the path to the secret + type: string + type: object + type: object + type: object + status: + description: GitHubSecretEngineConfigStatus defines the observed state + of GitHubSecretEngineConfig + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_githubsecretengineroles.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_githubsecretengineroles.yaml new file mode 100644 index 00000000000..e1eeb2b03ec --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_githubsecretengineroles.yaml @@ -0,0 +1,255 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: githubsecretengineroles.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: GitHubSecretEngineRole + listKind: GitHubSecretEngineRoleList + plural: githubsecretengineroles + singular: githubsecretenginerole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GitHubSecretEngineRole is the Schema for the githubsecretengineroles + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GitHubSecretEngineRoleSpec defines the desired state of GitHubSecretEngineRole + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + installationID: + description: 'InstallationID the ID of the app installation. Note + the Installation ID from the URL of this page (usually: https://github.com/settings/installations/) if you wish to configure using the installation ID directly. + Only one of installationID or organizationName is required. If both + are provided, installationID takes precedence.' + format: int64 + type: integer + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + organizationName: + description: OrganizationName the name of the organization with the + GitHub App installation. Only one of installationID or organizationName + is required. If both are provided, installationID takes precedence. + type: string + path: + description: Path at which to create the role. The final path in Vault + will be {[spec.authentication.namespace]}/{spec.path}/permissionset/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + permissions: + additionalProperties: + type: string + description: Permissions a key value map of permission names to their + access type (read or write). See [GitHub’s documentation](https://developer.github.com/v3/apps/permissions) + on permission names and access types. + type: object + repositories: + description: Repositories a list of the names of the repositories + within the organisation that the installation token can access + items: + type: string + type: array + repositoriesIDs: + description: Repositories a list of the IDs of the repositories that + the installation token can access. See [this StackOverflow](https://stackoverflow.com/a/47223479) + post for the quickest way to find a repository ID + items: + type: string + type: array + type: object + status: + description: GitHubSecretEngineRoleStatus defines the observed state of + GitHubSecretEngineRole + properties: + conditions: + description: 'Important: Run "make" to regenerate code after modifying + this file' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_groupaliases.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_groupaliases.yaml new file mode 100644 index 00000000000..cff805f6786 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_groupaliases.yaml @@ -0,0 +1,217 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: groupaliases.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: GroupAlias + listKind: GroupAliasList + plural: groupaliases + singular: groupalias + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GroupAlias is the Schema for the groupalias API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GroupAliasSpec defines the desired state of GroupAlias + properties: + authEngineMountPath: + type: string + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + groupName: + type: string + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + type: object + status: + description: GroupAliasStatus defines the observed state of GroupAlias + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + id: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_groups.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_groups.yaml new file mode 100644 index 00000000000..50326b37205 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_groups.yaml @@ -0,0 +1,245 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: groups.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: Group + listKind: GroupList + plural: groups + singular: group + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Group is the Schema for the groups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GroupSpec defines the desired state of Group + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + memberEntityIDs: + description: MemberEntityIDs Entity IDs to be assigned as group members. + kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + memberGroupIDs: + description: MemberGroupIDs Group IDs to be assigned as group members. + kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + metadata: + additionalProperties: + type: string + description: Metadata Metadata to be associated with the group. + type: object + x-kubernetes-map-type: granular + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + policies: + description: Policies Policies to be tied to the group. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + type: + default: internal + description: Type Type of the group, internal or external. Defaults + to internal + enum: + - internal + - external + type: string + type: object + status: + description: GroupStatus defines the observed state of Group + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_jwtoidcauthengineconfigs.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_jwtoidcauthengineconfigs.yaml new file mode 100644 index 00000000000..811d87b5860 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_jwtoidcauthengineconfigs.yaml @@ -0,0 +1,385 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: jwtoidcauthengineconfigs.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: JWTOIDCAuthEngineConfig + listKind: JWTOIDCAuthEngineConfigList + plural: jwtoidcauthengineconfigs + singular: jwtoidcauthengineconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTOIDCAuthEngineConfig is the Schema for the jwtoidcauthengineconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTOIDCAuthEngineConfigSpec defines the desired state of + JWTOIDCAuthEngineConfig + properties: + JWKSCAPEM: + default: "" + description: The CA certificate or chain of certificates, in PEM format, + to use to validate connections to the JWKS URL. If not set, system + certificates are used. + type: string + JWKSURL: + default: "" + description: JWKS URL to use to authenticate signatures. Cannot be + used with "oidc_discovery_url" or "jwt_validation_pubkeys" + type: string + JWTSupportedAlgs: + description: A list of supported signing algorithms. Defaults to [RS256] + for OIDC roles. Defaults to all available algorithms for JWT roles + kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + JWTValidationPubKeys: + description: A list of PEM-encoded public keys to use to authenticate + signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url" + kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + OIDCClientID: + default: "" + description: The OAuth Client ID from the provider for OIDC roles. + type: string + OIDCCredentials: + description: OIDCCredentials from the provider for OIDC roles OIDCCredentials + consists in OIDCClientID and OIDCClientSecret, which can be created + as Kubernetes Secret, VaultSecret or RandomSecret + properties: + passwordKey: + default: password + description: PasswordKey key to be used when retrieving the password, + required with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + randomSecret: + description: 'RandomSecret retrieves the credentials from the + Vault secret corresponding to this RandomSecret. This will map + the "username" and "password" keys of the secret to the username + and password of this config. All other keys will be ignored. + If the RandomSecret is refreshed the operator retrieves the + new secret from Vault and updates this configuration. Only one + of RootCredentialsFromVaultSecret or RootCredentialsFromSecret + or RootCredentialsFromRandomSecret can be specified. When using + randomSecret a username must be specified in the spec.username + password: Specifies the password to use when connecting with + the username. This value will not be returned by Vault when + performing a read upon the configuration. This is typically + used in the connection_url field via the templating directive + "{{"password"}}"".' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + secret: + description: 'Secret retrieves the credentials from a Kubernetes + secret. The secret must be of basicauth type (https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). + This will map the "username" and "password" keys of the secret + to the username and password of this config. If the kubernetes + secret is updated, this configuration will also be updated. + All other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + usernameKey: + default: username + description: UsernameKey key to be used when retrieving the username, + optional with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + vaultSecret: + description: 'VaultSecret retrieves the credentials from a Vault + secret. This will map the "username" and "password" keys of + the secret to the username and password of this config. All + other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + path: + description: Path is the path to the secret + type: string + type: object + type: object + OIDCDiscoveryCAPEM: + default: "" + description: The CA certificate or chain of certificates, in PEM format, + to use to validate connections to the OIDC Discovery URL. If not + set, system certificates are used + type: string + OIDCDiscoveryURL: + default: "" + description: The OIDC Discovery URL, without any .well-known component + (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys" + type: string + OIDCResponseMode: + default: "" + description: The response mode to be used in the OAuth2 request. Allowed + values are "query" and "form_post". Defaults to "query". If using + Vault namespaces, and oidc_response_mode is "form_post", then "namespace_in_state" + should be set to false + type: string + OIDCResponseTypes: + description: 'The response types to request. Allowed values are "code" + and "id_token". Defaults to "code". Note: "id_token" may only be + used if "oidc_response_mode" is set to "form_post" kubebuilder:validation:UniqueItems=true' + items: + type: string + type: array + x-kubernetes-list-type: set + authentication: + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + boundIssuer: + default: "" + description: The value against which to match the iss claim in a JWT + type: string + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + defaultRole: + default: "" + description: The default role to use if none is provided during login + type: string + namespaceInState: + default: true + description: Pass namespace in the OIDC state parameter instead of + as a separate query parameter. With this setting, the allowed redirect + URL(s) in Vault and on the provider side should not contain a namespace + query parameter. This means only one redirect URL entry needs to + be maintained on the provider side for all vault namespaces that + will be authenticating against it. Defaults to true for new configs + type: boolean + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + providerConfig: + description: 'Configuration options for provider-specific handling. + Providers with specific handling include: Azure, Google. The options + are described in each provider''s section in OIDC Provider Setup' + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: JWTOIDCAuthEngineConfigStatus defines the observed state + of JWTOIDCAuthEngineConfig + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_jwtoidcauthengineroles.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_jwtoidcauthengineroles.yaml new file mode 100644 index 00000000000..63aa63bacc6 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_jwtoidcauthengineroles.yaml @@ -0,0 +1,393 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: jwtoidcauthengineroles.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: JWTOIDCAuthEngineRole + listKind: JWTOIDCAuthEngineRoleList + plural: jwtoidcauthengineroles + singular: jwtoidcauthenginerole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTOIDCAuthEngineRole is the Schema for the jwtoidcauthengineroles + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTOIDCAuthEngineRoleSpec defines the desired state of JWTOIDCAuthEngineRole + properties: + OIDCScopes: + description: If set, a list of OIDC scopes to be used with an OIDC + role The standard scope "openid" is automatically included and need + not be specified kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + allowedRedirectURIs: + description: The list of allowed values for redirect_uri during OIDC + logins kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + authentication: + description: Authentication is the kube auth configuraiton to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + boundAudiences: + description: List of aud claims to match against. Any match is sufficient. + Required for "jwt" roles, optional for "oidc" roles kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + boundClaims: + additionalProperties: + type: string + description: If set, a map of claims (keys) to match against respective + claim values (values) The expected value may be a single string + or a list of strings The interpretation of the bound claim values + is configured with bound_claims_type Keys support JSON pointer syntax + for referencing claims + type: object + boundClaimsType: + default: string + description: Configures the interpretation of the bound_claims values. + If "string" (the default), the values will treated as string literals + and must match exactly. If set to "glob", the values will be interpreted + as globs, with * matching any number of characters + type: string + boundSubject: + default: "" + description: If set, requires that the sub claim matches this value. + type: string + claimMappings: + additionalProperties: + type: string + description: If set, a map of claims (keys) to be copied to specified + metadata fields (values) Keys support JSON pointer syntax for referencing + claims + type: object + clockSkewLeeway: + default: 0 + description: The amount of leeway to add to all claims to account + for clock skew, in seconds. Defaults to 60 seconds if set to 0 and + can be disabled if set to -1. Accepts an integer number of seconds, + or a Go duration format string. Only applicable with "jwt" roles + format: int64 + type: integer + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + expirationLeeway: + default: 0 + description: The amount of leeway to add to expiration (exp) claims + to account for clock skew, in seconds. Defaults to 150 seconds if + set to 0 and can be disabled if set to -1. Accepts an integer number + of seconds, or a Go duration format string. Only applicable with + "jwt" roles. + format: int64 + type: integer + groupsClaim: + default: "" + description: The claim to use to uniquely identify the set of groups + to which the user belongs; this will be used as the names for the + Identity group aliases created due to a successful login. The claim + value must be a list of strings. Supports JSON pointer syntax for + referencing claims + type: string + maxage: + default: 0 + description: Specifies the allowable elapsed time in seconds since + the last time the user was actively authenticated with the OIDC + provider If set, the max_age request parameter will be included + in the authentication request See AuthRequest for additional details + Accepts an integer number of seconds, or a Go duration format string + format: int64 + type: integer + name: + description: Name of the role + type: string + notBeforeLeeway: + default: 0 + description: he amount of leeway to add to not before (nbf) claims + to account for clock skew, in seconds Defaults to 150 seconds if + set to 0 and can be disabled if set to -1. Accepts an integer number + of seconds, or a Go duration format string. Only applicable with + "jwt" roles + format: int64 + type: integer + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/groups/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + roleType: + default: "" + description: Type of role, either "oidc" (default) or "jwt" + type: string + tokenBoundCIDRs: + description: List of CIDR blocks; if set, specifies blocks of IP addresses + which can authenticate successfully, and ties the resulting token + to these blocks as well. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTTL: + default: "" + description: If set, will encode an explicit max TTL onto the token. + This is a hard cap even if token_ttl and token_max_ttl would otherwise + allow a renewal. + type: string + tokenMaxTTL: + default: "" + description: The maximum lifetime for generated tokens. This current + value of this will be referenced at renewal time + type: string + tokenNoDefaultPolicy: + default: false + description: If set, the default policy will not be set on generated + tokens; otherwise it will be added to the policies set in token_policies + type: boolean + tokenNumUses: + default: 0 + description: The maximum number of times a generated token may be + used (within its lifetime); 0 means unlimited. If you require the + token to have the ability to create child tokens, you will need + to set this value to 0 + format: int64 + type: integer + tokenPeriod: + default: 0 + description: The period, if any, to set on the token + format: int64 + type: integer + tokenPolicies: + description: List of policies to encode onto generated tokens Depending + on the auth method, this list may be supplemented by user/group/other + values kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + tokenTTL: + default: "" + description: The incremental lifetime for generated tokens This current + value of this will be referenced at renewal time + type: string + tokenType: + default: "" + description: 'The type of token that should be generated. Can be service, + batch, or default to use the mount''s tuned default (which unless + changed will be service tokens). For token store roles, there are + two additional possibilities: default-service and default-batch + which specify the type to return unless the client requests a different + type at generation time.' + type: string + userClaim: + description: The claim to use to uniquely identify the user; this + will be used as the name for the Identity entity alias created due + to a successful login. The claim value must be a string + type: string + userClaimJSONPointer: + default: false + description: Specifies if the user_claim value uses JSON pointer syntax + for referencing claims. By default, the user_claim value will not + use JSON pointer. + type: boolean + verboseOIDCLogging: + default: false + description: Log received OIDC tokens and claims when debug-level + logging is active Not recommended in production since sensitive + information may be present in OIDC responses + type: boolean + required: + - name + - userClaim + type: object + status: + description: JWTOIDCAuthEngineRoleStatus defines the observed state of + JWTOIDCAuthEngineRole + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetesauthengineconfigs.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetesauthengineconfigs.yaml new file mode 100644 index 00000000000..e0fe3dd1164 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetesauthengineconfigs.yaml @@ -0,0 +1,269 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: kubernetesauthengineconfigs.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: KubernetesAuthEngineConfig + listKind: KubernetesAuthEngineConfigList + plural: kubernetesauthengineconfigs + singular: kubernetesauthengineconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: KubernetesAuthEngineConfig is the Schema for the kubernetesauthengineconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubernetesAuthEngineConfigSpec defines the desired state + of KubernetesAuthEngineConfig + properties: + PEMKeys: + description: PEMKeys Optional list of PEM-formatted public keys or + certificates used to verify the signatures of Kubernetes service + account JWTs. If a certificate is given, its public key will be + extracted. Not every installation of Kubernetes exposes these keys. + items: + type: string + type: array + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + disableISSValidation: + default: false + description: DisableISSValidation Disable JWT issuer validation. Allows + to skip ISS validation. + type: boolean + disableLocalCAJWT: + default: false + description: DisableLocalCAJWT Disable defaulting to the local CA + cert and service account JWT when running in a Kubernetes pod. + type: boolean + issuer: + description: Issuer Optional JWT issuer. If no issuer is specified, + then this plugin will use kubernetes/serviceaccount as the default + issuer. See these instructions for looking up the issuer for a given + Kubernetes cluster. + type: string + kubernetesCACert: + description: 'kubernetesCACert PEM encoded CA cert for use by the + TLS client used to talk with the Kubernetes API. NOTE: Every line + must end with a newline: \n if omitted will default to the content + of the file "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + in the operator pod' + type: string + kubernetesHost: + default: https://kubernetes.default.svc:443 + description: KubernetesHost Host must be a host string, a host:port + pair, or a URL to the base of the Kubernetes API server. + type: string + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + tokenReviewerServiceAccount: + description: TokenReviewerServiceAccount A service account JWT used + to access the TokenReview API to validate other JWTs during login. + If not set, the JWT submitted in the login payload will be used + to access the Kubernetes TokenReview API. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + status: + description: KubernetesAuthEngineConfigStatus defines the observed state + of KubernetesAuthEngineConfig + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetesauthengineroles.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetesauthengineroles.yaml new file mode 100644 index 00000000000..ac0f71a2665 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetesauthengineroles.yaml @@ -0,0 +1,379 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: kubernetesauthengineroles.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: KubernetesAuthEngineRole + listKind: KubernetesAuthEngineRoleList + plural: kubernetesauthengineroles + singular: kubernetesauthenginerole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: KubernetesAuthEngineRole can be used to define a KubernetesAuthEngineRole + for the kube-auth authentication method + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubernetesAuthEngineRoleSpec defines the desired state of + KubernetesAuthEngineRole + properties: + aliasNameSource: + default: serviceaccount_uid + description: 'AliasNameSource Configures how identity aliases are + generated. Valid choices are: serviceaccount_uid, serviceaccount_name + When serviceaccount_uid is specified, the machine generated UID + from the service account will be used as the identity alias name. + When serviceaccount_name is specified, the service account''s namespace + and name will be used as the identity alias name e.g vault/vault-auth. + While it is strongly advised that you use serviceaccount_uid, you + may also use serviceaccount_name in cases where you want to set + the alias ahead of time, and the risks are mitigated or otherwise + acceptable given your use case. It is very important to limit who + is able to delete/create service accounts within a given cluster. + See the Create an Entity Alias document which further expands on + the potential security implications mentioned above.' + enum: + - serviceaccount_uid + - serviceaccount_name + type: string + audience: + description: Audience Audience claim to verify in the JWT. + type: string + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/role/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + policies: + description: Policies is a list of policy names to be bound to this + role. kubebuilder:validation:UniqueItems=true + items: + type: string + minItems: 1 + type: array + targetNamespaces: + description: TargetNamespaces specifies how to retrieve the namespaces + bound to this Vault role. + properties: + targetNamespaceSelector: + description: TargetNamespaceSelector is a selector of namespaces + from which service accounts will receove this role. Either TargetNamespaceSelector + or TargetNamespaces can be specified + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + targetNamespaces: + description: TargetNamespaces is a list of namespace from which + service accounts will receive this role. Either TargetNamespaceSelector + or TargetNamespaces can be specified. kubebuilder:validation:UniqueItems=true + items: + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + type: object + targetServiceAccounts: + default: + - default + description: TargetServiceAccounts is a list of service account names + that will receive this role kubebuilder:validation:UniqueItems=true + items: + type: string + minItems: 1 + type: array + tokenBoundCIDRs: + description: TokenBoundCIDRs List of CIDR blocks; if set, specifies + blocks of IP addresses which can authenticate successfully, and + ties the resulting token to these blocks as well. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTTL: + default: 0 + description: TokenExplicitMaxTTL If set, will encode an explicit max + TTL onto the token. This is a hard cap even if token_ttl and token_max_ttl + would otherwise allow a renewal. + type: integer + tokenMaxTTL: + default: 0 + description: TokenMaxTTL The maximum lifetime for generated tokens. + This current value of this will be referenced at renewal time. + type: integer + tokenNoDefaultPolicy: + default: false + description: TokenNoDefaultPolicy If set, the default policy will + not be set on generated tokens; otherwise it will be added to the + policies set in token_policies + type: boolean + tokenNumUses: + default: 0 + description: TokenNumUses The maximum number of times a generated + token may be used (within its lifetime); 0 means unlimited. If you + require the token to have the ability to create child tokens, you + will need to set this value to 0. + type: integer + tokenPeriod: + default: 0 + description: TokenPeriod The period, if any, to set on the token. + type: integer + tokenTTL: + default: 0 + description: TokenTTL The incremental lifetime for generated tokens. + This current value of this will be referenced at renewal time. + type: integer + tokenType: + default: default + description: 'TokenType The type of token that should be generated. + Can be service, batch, or default to use the mount''s tuned default + (which unless changed will be service tokens). For token store roles, + there are two additional possibilities: default-service and default-batch + which specify the type to return unless the client requests a different + type at generation time.' + enum: + - service + - batch + - default + - default-service + - default-batch + type: string + required: + - policies + - targetServiceAccounts + type: object + status: + description: KubernetesAuthEngineRoleStatus defines the observed state + of KubernetesAuthEngineRole + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetessecretengineconfigs.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetessecretengineconfigs.yaml new file mode 100644 index 00000000000..c2d30904c5b --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetessecretengineconfigs.yaml @@ -0,0 +1,321 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: kubernetessecretengineconfigs.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: KubernetesSecretEngineConfig + listKind: KubernetesSecretEngineConfigList + plural: kubernetessecretengineconfigs + singular: kubernetessecretengineconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: KubernetesSecretEngineConfig is the Schema for the kubernetessecretengineconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubernetesSecretEngineConfigSpec defines the desired state + of KubernetesSecretEngineConfig + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + disableLocalCAJWT: + default: false + description: DisableLocalCAJWT Disable defaulting to the local CA + certificate and service account JWT when running in a Kubernetes + pod. + type: boolean + jwtReference: + description: JWTReference specifies how to retrieve the JWT token + for this Kubernetes Engine connection. Only VaultSecretReference + or LocalObjectRefence can be used, random secret is not allowed. + properties: + passwordKey: + default: password + description: PasswordKey key to be used when retrieving the password, + required with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + randomSecret: + description: 'RandomSecret retrieves the credentials from the + Vault secret corresponding to this RandomSecret. This will map + the "username" and "password" keys of the secret to the username + and password of this config. All other keys will be ignored. + If the RandomSecret is refreshed the operator retrieves the + new secret from Vault and updates this configuration. Only one + of RootCredentialsFromVaultSecret or RootCredentialsFromSecret + or RootCredentialsFromRandomSecret can be specified. When using + randomSecret a username must be specified in the spec.username + password: Specifies the password to use when connecting with + the username. This value will not be returned by Vault when + performing a read upon the configuration. This is typically + used in the connection_url field via the templating directive + "{{"password"}}"".' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + secret: + description: 'Secret retrieves the credentials from a Kubernetes + secret. The secret must be of basicauth type (https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). + This will map the "username" and "password" keys of the secret + to the username and password of this config. If the kubernetes + secret is updated, this configuration will also be updated. + All other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + usernameKey: + default: username + description: UsernameKey key to be used when retrieving the username, + optional with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + vaultSecret: + description: 'VaultSecret retrieves the credentials from a Vault + secret. This will map the "username" and "password" keys of + the secret to the username and password of this config. All + other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + path: + description: Path is the path to the secret + type: string + type: object + type: object + kubernetesCACert: + description: KubernetesCACert PEM encoded CA certificate to verify + the Kubernetes API server certificate. + type: string + kubernetesHost: + description: KubernetesHost Kubernetes API URL to connect to. + type: string + path: + description: Path at which to create the role. The final path in Vault + will be {[spec.authentication.namespace]}/{spec.path}/config. The + authentication role must have the following capabilities = [ "create", + "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + type: object + status: + description: KubernetesSecretEngineConfigStatus defines the observed state + of KubernetesSecretEngineConfig + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetessecretengineroles.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetessecretengineroles.yaml new file mode 100644 index 00000000000..e667117d0a1 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_kubernetessecretengineroles.yaml @@ -0,0 +1,358 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: kubernetessecretengineroles.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: KubernetesSecretEngineRole + listKind: KubernetesSecretEngineRoleList + plural: kubernetessecretengineroles + singular: kubernetessecretenginerole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: KubernetesSecretEngineRole is the Schema for the kubernetessecretengineroles + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubernetesSecretEngineRoleSpec defines the desired state + of KubernetesSecretEngineRole + properties: + allowedKubernetesNamespaces: + description: AllowedKubernetesNamespaces The list of Kubernetes namespaces + this role can generate credentials for. If set to "*" all namespaces + are allowed. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + defaultTTL: + default: 0s + description: DeafulTTL Specifies the TTL for the leases associated + with this role. Accepts time suffixed strings ("1h") or an integer + number of seconds. Defaults to system/engine default TTL time. + type: string + extraAnnotations: + additionalProperties: + type: string + description: ExtraAnnotations Additional annotations to apply to all + generated Kubernetes objects. See the Kubernetes annotations documentation + for more details on annotations. + type: object + extraLabels: + additionalProperties: + type: string + description: ExtraLabels Additional labels to apply to all generated + Kubernetes objects. See the Kubernetes labels documentation for + more details on labels. + type: object + generateRoleRules: + description: GenerateRoleRules The Role or ClusterRole rules to use + when generating a role. Accepts either JSON or YAML formatted rules. + If set, the entire chain of Kubernetes objects will be generated + when credentials are requested. The value should be a rules key + with an array of PolicyRule objects, as illustrated in the Kubernetes + RBAC documentation and Sample Payload 3 below. + type: string + kubernetesRoleName: + description: KubernetesRoleName The pre-existing Role or ClusterRole + to bind a generated service account to. If set, Kubernetes token, + service account, and role binding objects will be created when credentials + are requested. See the Kubernetes roles documentation for more details + on Kubernetes roles. + type: string + kubernetesRoleType: + default: Role + description: KubernetesRoleType Specifies whether the Kubernetes role + is a Role or ClusterRole + enum: + - Role + - ClusterRole + type: string + maxTTL: + default: 0s + description: MaxTTL Specifies the maximum TTL for the leases associated + with this role. Accepts time suffixed strings ("1h") or an integer + number of seconds. Defaults to system/mount default TTL time; this + value is allowed to be less than the mount max TTL (or, if not set, + the system max TTL), but it is not allowed to be longer. See also + The TTL General Case. + type: string + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + nameTemplate: + description: NameTemplate The name template to use when generating + service accounts, roles and role bindings. If unset, a default template + is used. See username templating for details on how to write a custom + template. + type: string + path: + description: Path at which to create the role. The final path in Vault + will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + serviceAccountName: + description: ServiceAccountName The pre-existing service account to + generate tokens for. Mutually exclusive with all role parameters. + If set, only a Kubernetes token will be created when credentials + are requested. See the Kubernetes service account documentation + for more details on service accounts. + type: string + targetNamespaces: + description: TargetNamespaces specifies how to retrieve the list of + Kubernetes namespaces this role can generate credentials for. + properties: + targetNamespaceSelector: + description: TargetNamespaceSelector is a selector of namespaces + from which service accounts will receove this role. Either TargetNamespaceSelector + or TargetNamespaces can be specified + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + targetNamespaces: + description: TargetNamespaces is a list of namespace from which + service accounts will receive this role. Either TargetNamespaceSelector + or TargetNamespaces can be specified. kubebuilder:validation:UniqueItems=true + items: + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + type: object + type: object + status: + description: KubernetesSecretEngineRoleStatus defines the observed state + of KubernetesSecretEngineRole + properties: + conditions: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "make" to regenerate code after modifying + this file' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_ldapauthengineconfigs.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_ldapauthengineconfigs.yaml new file mode 100644 index 00000000000..5527ad225ac --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_ldapauthengineconfigs.yaml @@ -0,0 +1,531 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: ldapauthengineconfigs.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: LDAPAuthEngineConfig + listKind: LDAPAuthEngineConfigList + plural: ldapauthengineconfigs + singular: ldapauthengineconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: LDAPAuthEngineConfig is the Schema for the ldapauthengineconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: LDAPAuthEngineConfigSpec defines the desired state of LDAPAuthEngineConfig + properties: + TLSMaxVersion: + default: tls12 + description: TLSMaxVersion Maximum TLS version to use. Accepted values + are tls10, tls11, tls12 or tls13 + type: string + TLSMinVersion: + default: tls12 + description: TLSMinVersion Minimum TLS version to use. Accepted values + are tls10, tls11, tls12 or tls13 + type: string + UPNDomain: + default: "" + description: 'UPNDomain The userPrincipalDomain used to construct + the UPN string for the authenticating user. The constructed UPN + will appear as [username]@UPNDomain. Example: example.com, which + will cause vault to bind as username@example.com' + type: string + anonymousGroupSearch: + default: false + description: 'AnonymousGroupSearch Use anonymous binds when performing + LDAP group searches (note: even when true, the initial credentials + will still be used for the initial connection test).' + type: boolean + authentication: + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + bindCredentials: + description: BindCredentials is used to connect to the LDAP service + on the specified LDAP Server. BindCredentials consists in bindDN + and bindPass, which can be created as Kubernetes Secret, VaultSecret + or RandomSecret. + properties: + passwordKey: + default: password + description: PasswordKey key to be used when retrieving the password, + required with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + randomSecret: + description: 'RandomSecret retrieves the credentials from the + Vault secret corresponding to this RandomSecret. This will map + the "username" and "password" keys of the secret to the username + and password of this config. All other keys will be ignored. + If the RandomSecret is refreshed the operator retrieves the + new secret from Vault and updates this configuration. Only one + of RootCredentialsFromVaultSecret or RootCredentialsFromSecret + or RootCredentialsFromRandomSecret can be specified. When using + randomSecret a username must be specified in the spec.username + password: Specifies the password to use when connecting with + the username. This value will not be returned by Vault when + performing a read upon the configuration. This is typically + used in the connection_url field via the templating directive + "{{"password"}}"".' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + secret: + description: 'Secret retrieves the credentials from a Kubernetes + secret. The secret must be of basicauth type (https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). + This will map the "username" and "password" keys of the secret + to the username and password of this config. If the kubernetes + secret is updated, this configuration will also be updated. + All other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + usernameKey: + default: username + description: UsernameKey key to be used when retrieving the username, + optional with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + vaultSecret: + description: 'VaultSecret retrieves the credentials from a Vault + secret. This will map the "username" and "password" keys of + the secret to the username and password of this config. All + other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + path: + description: Path is the path to the secret + type: string + type: object + type: object + bindDN: + default: "" + description: BindDN - Username used to connect to the LDAP service + on the specified LDAP Server. If in the form accountname@domain.com, + the username is transformed into a proper LDAP bind DN, for example, + CN=accountname,CN=users,DC=domain,DC=com, when accessing the LDAP + server. If username is provided it takes precedence over the username + retrieved from the referenced secrets + type: string + caseSensitiveNames: + default: false + description: CaseSensitiveNames If set, user and group names assigned + to policies within the backend will be case sensitive. Otherwise, + names will be normalized to lower case. Case will still be preserved + when sending the username to the LDAP server at login time; this + is only for matching local user/group definitions. + type: boolean + certificate: + default: "" + description: Certificate CA certificate to use when verifying LDAP + server certificate, must be x509 PEM encoded. + type: string + clientTLSCert: + default: "" + description: ClientTLSCert Client certificate to provide to the LDAP + server, must be x509 PEM encoded + type: string + clientTLSKey: + default: "" + description: ClientTLSKey Client certificate key to provide to the + LDAP server, must be x509 PEM encoded + type: string + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + denyNullBind: + default: true + description: DenyNullBind This option prevents users from bypassing + authentication when providing an empty password + type: boolean + discoverDN: + default: false + description: DiscoverDN Use anonymous bind to discover the bind DN + of a user. + type: boolean + groupAttr: + default: "" + description: 'GroupAttr LDAP attribute to follow on objects returned + by groupfilter in order to enumerate user group membership. Examples: + for groupfilter queries returning group objects, use: cn. For queries + returning user objects, use: memberOf. The default is cn.' + type: string + groupDN: + default: "" + description: 'GroupDN LDAP search base to use for group membership + search. This can be the root containing either groups or users. + Example: ou=Groups,dc=example,dc=com' + type: string + groupFilter: + default: "" + description: 'GroupFilter Go template used when constructing the group + membership query. The template can access the following context + variables: [UserDN, Username]. The default is (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})), + which is compatible with several common directory schemas. To support + nested group resolution for Active Directory, instead use the following + query: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))' + type: string + insecureTLS: + default: false + description: InsecureTLS If true, skips LDAP server SSL certificate + verification - insecure, use with caution! + type: boolean + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + requestTimeout: + default: 90s + description: RequestTimeout Timeout, in seconds, for the connection + when making requests against the server before returning back an + error. + type: string + startTLS: + default: false + description: StartTLS If true, issues a StartTLS command after establishing + an unencrypted connection. + type: boolean + tLSConfig: + description: CertificateConfig represents the LDAP service certificate + configuration. CertificateConfig consists in certificate, clientTLSCert + and clientTLSKey which can be consumed from an Kubernetes Secret. + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault server's + SSL certificate. This environment variable takes precedence + over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not recommended + and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing the + tls material for the connection. the expected keys for the secret + are: ca bundle -> "ca.crt", certificate -> "tls.crt", key -> + "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when connecting + via TLS. + type: string + type: object + tokenBoundCIDRs: + default: "" + description: TokenBoundCIDRs List of CIDR blocks; if set, specifies + blocks of IP addresses which can authenticate successfully, and + ties the resulting token to these blocks as well. + type: string + tokenExplicitMaxTTL: + default: "" + description: TonenExplicitMaxTTL If set, will encode an explicit max + TTL onto the token. This is a hard cap even if token_ttl and token_max_ttl + would otherwise allow a renewal. + type: string + tokenMaxTTL: + default: "" + description: TokenMaxTTL The maximum lifetime for generated tokens. + This current value of this will be referenced at renewal time + type: string + tokenNoDefaultPolicy: + default: false + description: TokenNoDefaultPolicy If set, the default policy will + not be set on generated tokens; otherwise it will be added to the + policies set in token_policies. + type: boolean + tokenNumUses: + default: 0 + description: TokenNumUses The maximum number of times a generated + token may be used (within its lifetime); 0 means unlimited. If you + require the token to have the ability to create child tokens, you + will need to set this value to 0. + format: int64 + type: integer + tokenPeriod: + default: 0 + description: TokenPeriod The period, if any, to set on the token + format: int64 + type: integer + tokenPolicies: + default: "" + description: TokenPolicies List of policies to encode onto generated + tokens. Depending on the auth method, this list may be supplemented + by user/group/other values. + type: string + tokenTTL: + default: "" + description: TokenTTL The incremental lifetime for generated tokens. + This current value of this will be referenced at renewal time. + type: string + tokenType: + default: "" + description: 'The type of token that should be generated. Can be service, + batch, or default to use the mount''s tuned default (which unless + changed will be service tokens). For token store roles, there are + two additional possibilities: default-service and default-batch + which specify the type to return unless the client requests a different + type at generation time.' + type: string + url: + default: ldap://127.0.0.1 + description: 'URL The LDAP server to connect to. Examples: ldap://ldap.myorg.com, + ldaps://ldap.myorg.com:636. Multiple URLs can be specified with + commas, e.g. ldap://ldap.myorg.com,ldap://ldap2.myorg.com; these + will be tried in-order.' + type: string + userAttr: + default: cn + description: 'UserAttr Attribute on user attribute object matching + the username passed when authenticating. Examples: sAMAccountName, + cn, uid' + type: string + userDN: + default: "" + description: 'UserDN Base DN under which to perform user search. Example: + ou=Users,dc=example,dc=com' + type: string + userFilter: + default: "" + description: 'UserFilter An optional LDAP user search filter. The + template can access the following context variables: UserAttr, Username. + The default is ({{.UserAttr}}={{.Username}}), or ({{.UserAttr}}={{.Username@.upndomain}}) + if upndomain is set.' + type: string + usernameAsAlias: + default: false + description: UsernameAsAlias If set to true, forces the auth method + to use the username passed by the user as the alias name. + type: boolean + required: + - caseSensitiveNames + - url + type: object + status: + description: LDAPAuthEngineConfigStatus defines the observed state of + LDAPAuthEngineConfig + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_ldapauthenginegroups.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_ldapauthenginegroups.yaml new file mode 100644 index 00000000000..bb64a8bb2e4 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_ldapauthenginegroups.yaml @@ -0,0 +1,221 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: ldapauthenginegroups.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: LDAPAuthEngineGroup + listKind: LDAPAuthEngineGroupList + plural: ldapauthenginegroups + singular: ldapauthenginegroup + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: LDAPAuthEngineGroup is the Schema for the ldapauthenginegroups + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: LDAPAuthEngineGroupSpec defines the desired state of LDAPAuthEngineGroup + properties: + authentication: + description: Authentication is the kube auth configuraiton to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + name: + description: The name of the LDAP group + type: string + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/groups/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + policies: + default: "" + description: Comma-separated list of policies associated to the group + type: string + type: object + status: + description: LDAPAuthEngineGroupStatus defines the observed state of LDAPAuthEngineGroup + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_passwordpolicies.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_passwordpolicies.yaml new file mode 100644 index 00000000000..e24c113b7bc --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_passwordpolicies.yaml @@ -0,0 +1,215 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: passwordpolicies.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: PasswordPolicy + listKind: PasswordPolicyList + plural: passwordpolicies + singular: passwordpolicy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PasswordPolicy is the Schema for the passowordpolicies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PasswordPolicySpec defines the desired state of PasswordPolicy + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + passwordPolicy: + description: PasswordPolicy is a Vault password policy (https://www.vaultproject.io/docs/concepts/password-policies) + expressed in HCL language. + type: string + type: object + status: + description: PolicyStatus defines the observed state of Policy + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_pkisecretengineconfigs.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_pkisecretengineconfigs.yaml new file mode 100644 index 00000000000..c213985de09 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_pkisecretengineconfigs.yaml @@ -0,0 +1,418 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: pkisecretengineconfigs.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: PKISecretEngineConfig + listKind: PKISecretEngineConfigList + plural: pkisecretengineconfigs + singular: pkisecretengineconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PKISecretEngineConfig is the Schema for the pkisecretengineconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PKISecretEngineConfigSpec defines the desired state of PKISecretEngineConfig + properties: + CRLDisable: + description: Disables or enables CRL building. + type: boolean + CRLDistributionPoints: + description: Specifies the URL values for the CRL Distribution Points + field. This can be an array or a comma-separated string list. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + CRLExpiry: + default: 72h + description: Specifies the time until expiration. + type: string + IPSans: + description: Specifies the requested IP Subject Alternative Names, + in a comma-delimited list. + type: string + TTL: + description: Specifies the requested Time To Live (after which the + certificate will be expired). This cannot be larger than the engine's + max (or, if not set, the system max). + type: string + URISans: + description: Specifies the requested URI Subject Alternative Names, + in a comma-delimited list. + type: string + altNames: + description: Specifies the requested Subject Alternative Names, in + a comma-delimited list. These can be host names or email addresses; + they will be parsed into their respective fields. + type: string + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + certificateKey: + default: tls.crt + description: CertificateKey key to be used when retrieving the signed + certificate + type: string + commonName: + description: Specifies the requested CN for the certificate. + type: string + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + country: + description: Specifies the C (Country) values in the subject field + of issued certificates. This is a comma-separated string or JSON + array. + type: string + excludeCnFromSans: + description: If set, the given common_name will not be included in + DNS or Email Subject Alternate Names (as appropriate). Useful if + the CN is not a hostname or email address, but is instead some human-readable + identifier. + type: boolean + externalSignSecret: + description: ExternalSignSecret retrieves the signed intermediate + certificate from a Kubernetes secret. Allows submitting the signed + CA certificate corresponding to a private key generated. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + format: + default: pem + description: Specifies the format for returned data. Can be pem, der, + or pem_bundle. If der, the output is base64 encoded. If pem_bundle, + the certificate field will contain the private key (if exported) + and certificate, concatenated; if the issuing CA is not a Vault-derived + self-signed root, this will be included as well. + enum: + - pem + - pem_bundle + - der + type: string + internalSign: + description: Use the configured refered Vault PKISecretEngineConfig + to issue a certificate with appropriate values for acting as an + intermediate CA. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + issuingCertificates: + description: Specifies the URL values for the Issuing Certificate + field. This can be an array or a comma-separated string list. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + keyBits: + default: 2048 + description: Specifies the number of bits to use. This must be changed + to a valid value if the key_type is ec, e.g., 224, 256, 384 or 521. + type: integer + keyType: + default: rsa + description: Specifies the desired key type; must be rsa or ec. + enum: + - rsa + - ec + type: string + locality: + description: Specifies the L (Locality) values in the subject field + of issued certificates. This is a comma-separated string or JSON + array. + type: string + maxPathLength: + default: -1 + description: Specifies the maximum path length to encode in the generated + certificate. -1 means no limit. Unless the signing certificate has + a maximum path length set, in which case the path length is set + to one less than that of the signing certificate. A limit of 0 means + a literal path length of zero. + type: integer + ocspServers: + description: Specifies the URL values for the OCSP Servers field. + This can be an array or a comma-separated string list. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + organization: + description: Specifies the O (Organization) values in the subject + field of issued certificates. This is a comma-separated string or + JSON array. + type: string + otherSans: + description: 'Specifies custom OID/UTF8-string SANs. These must match + values specified on the role in allowed_other_sans (see role creation + for allowed_other_sans globbing rules). The format is the same as + OpenSSL: ;: where the only current valid type + is UTF8. This can be a comma-delimited list or a JSON string slice.' + type: string + ou: + description: Specifies the OU (OrganizationalUnit) values in the subject + field of issued certificates. This is a comma-separated string or + JSON array. + type: string + path: + description: Path at which to create the role. The final path in Vault + will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + permittedDnsDomains: + description: A comma separated string (or, string array) containing + DNS domains for which certificates are allowed to be issued or signed + by this CA certificate. Note that subdomains are allowed, as per + RFC. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + postalCode: + description: Specifies the Postal Code values in the subject field + of issued certificates. This is a comma-separated string or JSON + array. + type: string + privateKeyFormat: + description: Specifies the format for marshaling the private key. + Defaults to der which will return either base64-encoded DER or PEM-encoded + DER, depending on the value of format. The other option is pkcs8 + which will return the key marshalled as PEM-encoded PKCS8. + type: string + privateKeyType: + default: internal + description: Specifies the type of the root to create. If exported, + the private key will be returned in the response; if internal the + private key will not be returned and cannot be retrieved later. + This is part of the request URL. + enum: + - internal + - exported + type: string + province: + description: Specifies the ST (Province) values in the subject field + of issued certificates. This is a comma-separated string or JSON + array. + type: string + serialNumber: + description: Specifies the Serial Number, if any. Otherwise Vault + will generate a random serial for you. If you want more than one, + specify alternative names in the alt_names map using OID 2.5.4.5. + type: string + streetAddress: + description: Specifies the Street Address values in the subject field + of issued certificates. This is a comma-separated string or JSON + array. + type: string + type: + default: root + description: Specifies the type of certificate authority. Root CA + or Intermediate CA. This is part of the request URL. + enum: + - root + - intermediate + type: string + type: object + status: + description: PKISecretEngineConfigStatus defines the observed state of + PKISecretEngineConfig + properties: + conditions: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "make" to regenerate code after modifying + this file' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + exported: + type: boolean + generated: + type: boolean + signed: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_pkisecretengineroles.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_pkisecretengineroles.yaml new file mode 100644 index 00000000000..a98bfa94fc9 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_pkisecretengineroles.yaml @@ -0,0 +1,472 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: pkisecretengineroles.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: PKISecretEngineRole + listKind: PKISecretEngineRoleList + plural: pkisecretengineroles + singular: pkisecretenginerole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PKISecretEngineRole is the Schema for the pkisecretengineroles + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PKISecretEngineRoleSpec defines the desired state of PKISecretEngineRole + properties: + TTL: + default: 0s + description: Specifies the Time To Live value provided as a string + duration with time suffix. Hour is the largest suffix. If not set, + uses the system default value or the value of max_ttl, whichever + is shorter. + type: string + allowAnyName: + description: Specifies if clients can request any CN. Useful in some + circumstances, but make sure you understand whether it is appropriate + for your installation before enabling it. + type: boolean + allowBareDomains: + description: Specifies if clients can request certificates matching + the value of the actual domains themselves; e.g. if a configured + domain set with allowed_domains is example.com, this allows clients + to actually request a certificate containing the name example.com + as one of the DNS values on the final certificate. In some scenarios, + this can be considered a security risk. + type: boolean + allowGlobDomains: + description: Allows names specified in allowed_domains to contain + glob patterns (e.g. ftp*.example.com). Clients will be allowed to + request certificates with names matching the glob patterns. + type: boolean + allowIPSans: + description: Specifies if clients can request IP Subject Alternative + Names. No authorization checking is performed except to verify that + the given values are valid IP addresses. + type: boolean + allowLocalhost: + type: boolean + allowSubdomains: + description: Specifies if clients can request certificates with CNs + that are subdomains of the CNs allowed by the other role options. + This includes wildcard subdomains. For example, an allowed_domains + value of example.com with this option set to true will allow foo.example.com + and bar.example.com as well as *.example.com. This is redundant + when using the allow_any_name option. + type: boolean + allowedDomains: + description: Specifies the domains of the role. This is used with + the allow_bare_domains and allow_subdomains options. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + allowedDomainsTemplate: + description: When set, allowed_domains may contain templates, as with + ACL Path Templating. + type: boolean + allowedOtherSans: + description: 'Defines allowed custom OID/UTF8-string SANs. This can + be a comma-delimited list or a JSON string slice, where each element + has the same format as OpenSSL: ;:, but the only + valid type is UTF8 or UTF-8. The value part of an element may be + a * to allow any value with that OID. Alternatively, specifying + a single * will allow any other_sans input.' + type: string + allowedURISans: + description: Defines allowed URI Subject Alternative Names. No authorization + checking is performed except to verify that the given values are + valid URIs. This can be a comma-delimited list or a JSON string + slice. Values can contain glob patterns (e.g. spiffe://hostname/*). + kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + basicConstraintsValidForNonCa: + description: Mark Basic Constraints valid when issuing non-CA certificates. + type: boolean + clientFlag: + description: Specifies if certificates are flagged for client use. + type: boolean + codeSigningFlag: + description: Specifies if certificates are flagged for code signing + use. + type: boolean + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + country: + description: Specifies the C (Country) values in the subject field + of issued certificates. This is a comma-separated string or JSON + array. + type: string + emailProtectionFlag: + description: Specifies if certificates are flagged for email protection + use. + type: boolean + enforceHostnames: + description: Specifies if only valid host names are allowed for CNs, + DNS SANs, and the host part of email addresses. + type: boolean + extKeyUsage: + description: Specifies the allowed extended key usage constraint on + issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage + - simply drop the ExtKeyUsage part of the value. Values are not + case-sensitive. To specify no key usage constraints, set this to + an empty list. kubebuilder:validation:UniqueItems=true + enum: + - ServerAuth + - ClientAuth + - CodeSigning + - EmailProtection + - IPSECEndSystem + - IPSECTunnel + - IPSECUser + - TimeStamping + - OCSPSigning + - MicrosoftServerGatedCrypto + - NetscapeServerGatedCrypto + - MicrosoftCommercialCodeSigning + - MicrosoftKernelCodeSigning + items: + type: string + type: array + x-kubernetes-list-type: set + extKeyUsageOids: + description: A comma-separated string or list of extended key usage + oids. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + generateLease: + description: Specifies if certificates issued/signed against this + role will have Vault leases attached to them. Certificates can be + added to the CRL by vault revoke when certificates are + associated with leases. It can also be done using the pki/revoke + endpoint. However, when lease generation is disabled, invoking pki/revoke + would be the only way to add the certificates to the CRL. + type: boolean + keyBits: + default: 2048 + description: Specifies the number of bits to use for the generated + keys. This will need to be changed for ec keys, e.g., 224, 256, + 384 or 521. + type: integer + keyType: + default: rsa + description: Specifies the type of key to generate for generated private + keys and the type of key expected for submitted CSRs. Currently, + rsa and ec are supported, or when signing CSRs any can be specified + to allow keys of either type and with any bit size (subject to > + 1024 bits for RSA keys). + enum: + - rsa + - ec + type: string + keyUsage: + description: Specifies the allowed key usage constraint on issued + certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage + - simply drop the KeyUsage part of the value. Values are not case-sensitive. + To specify no key usage constraints, set this to an empty list. + kubebuilder:validation:UniqueItems=true + enum: + - DigitalSignature + - KeyAgreement + - KeyEncipherment + - ContentCommitment + - DataEncipherment + - CertSign + - CRLSign + - EncipherOnly + - DecipherOnly + items: + type: string + type: array + x-kubernetes-list-type: set + locality: + description: Specifies the L (Locality) values in the subject field + of issued certificates. This is a comma-separated string or JSON + array. + type: string + maxTTL: + default: 0s + description: Specifies the maximum Time To Live provided as a string + duration with time suffix. Hour is the largest suffix. If not set, + defaults to the system maximum lease TTL. + type: string + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + noStore: + description: If set, certificates issued/signed against this role + will not be stored in the storage backend. This can improve performance + when issuing large numbers of certificates. However, certificates + issued in this way cannot be enumerated or revoked, so this option + is recommended only for certificates that are non-sensitive, or + extremely short-lived. This option implies a value of false for + generate_lease. + type: boolean + notBeforeDuration: + default: 30s + description: Specifies the duration by which to backdate the NotBefore + property. + type: string + organization: + description: Specifies the O (Organization) values in the subject + field of issued certificates. This is a comma-separated string or + JSON array. + type: string + ou: + description: Specifies the OU (OrganizationalUnit) values in the subject + field of issued certificates. This is a comma-separated string or + JSON array. + type: string + path: + description: Path at which to create the role. The final path in Vault + will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + policyIdentifiers: + description: A comma-separated string or list of policy OIDs. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + postalCode: + description: Specifies the Postal Code values in the subject field + of issued certificates. This is a comma-separated string or JSON + array. + type: string + province: + description: Specifies the ST (Province) values in the subject field + of issued certificates. This is a comma-separated string or JSON + array. + type: string + requireCn: + description: If set to false, makes the common_name field optional + while generating a certificate. + type: boolean + serialNumber: + description: Specifies the Serial Number, if any. Otherwise Vault + will generate a random serial for you. If you want more than one, + specify alternative names in the alt_names map using OID 2.5.4.5. + type: string + serverFlag: + description: Specifies if certificates are flagged for server use. + type: boolean + streetAddress: + description: Specifies the Street Address values in the subject field + of issued certificates. This is a comma-separated string or JSON + array. + type: string + useCSRCommonName: + default: true + description: When used with the CSR signing endpoint, the common name + in the CSR will be used instead of taken from the JSON data. This + does not include any requested SANs in the CSR; use use_csr_sans + for that. + type: boolean + useCSRSans: + default: true + description: When used with the CSR signing endpoint, the subject + alternate names in the CSR will be used instead of taken from the + JSON data. This does not include the common name in the CSR; use + use_csr_common_name for that. + type: boolean + type: object + status: + description: PKISecretEngineRoleStatus defines the observed state of PKISecretEngineRole + properties: + conditions: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "make" to regenerate code after modifying + this file' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_policies.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_policies.yaml new file mode 100644 index 00000000000..f37beb053fe --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_policies.yaml @@ -0,0 +1,223 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: policies.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy is the Schema for the policies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec defines the desired state of Policy + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + policy: + description: Policy is a Vault policy expressed in HCL language. + type: string + type: + description: Type represents the policy type, currently the only supported + policy type is "acl", but in the future rgp and egp might be supported. + If not specified a policy will be created at /sys/policies/, + if specified (the recommended approach) a policy will be created + at /sys/policies/acl/ + enum: + - acl + type: string + type: object + status: + description: PolicyStatus defines the observed state of Policy + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretengineconfigs.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretengineconfigs.yaml new file mode 100644 index 00000000000..7c77b366249 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretengineconfigs.yaml @@ -0,0 +1,318 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: quaysecretengineconfigs.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: QuaySecretEngineConfig + listKind: QuaySecretEngineConfigList + plural: quaysecretengineconfigs + singular: quaysecretengineconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: QuaySecretEngineConfig is the Schema for the quaysecretengineconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: QuaySecretEngineConfigSpec defines the desired state of QuaySecretEngineConfig + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + caCertificate: + description: CACertertificate PEM encoded CA cert for use by the TLS + client used to communicate with Quay. + type: string + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + disableSslVerification: + default: false + description: DisableSslVerification Disable SSL verification when + communicating with Quay. + type: boolean + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/{spec.path}/config. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + rootCredentials: + description: RootCredentials specifies how to retrieve the credentials + for this Quay connection. + properties: + passwordKey: + default: password + description: PasswordKey key to be used when retrieving the password, + required with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + randomSecret: + description: 'RandomSecret retrieves the credentials from the + Vault secret corresponding to this RandomSecret. This will map + the "username" and "password" keys of the secret to the username + and password of this config. All other keys will be ignored. + If the RandomSecret is refreshed the operator retrieves the + new secret from Vault and updates this configuration. Only one + of RootCredentialsFromVaultSecret or RootCredentialsFromSecret + or RootCredentialsFromRandomSecret can be specified. When using + randomSecret a username must be specified in the spec.username + password: Specifies the password to use when connecting with + the username. This value will not be returned by Vault when + performing a read upon the configuration. This is typically + used in the connection_url field via the templating directive + "{{"password"}}"".' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + secret: + description: 'Secret retrieves the credentials from a Kubernetes + secret. The secret must be of basicauth type (https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). + This will map the "username" and "password" keys of the secret + to the username and password of this config. If the kubernetes + secret is updated, this configuration will also be updated. + All other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + usernameKey: + default: username + description: UsernameKey key to be used when retrieving the username, + optional with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + vaultSecret: + description: 'VaultSecret retrieves the credentials from a Vault + secret. This will map the "username" and "password" keys of + the secret to the username and password of this config. All + other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + path: + description: Path is the path to the secret + type: string + type: object + type: object + url: + description: url Specifies the location of the Quay instance + type: string + type: object + status: + description: QuaySecretEngineConfigStatus defines the observed state of + QuaySecretEngineConfig + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretengineroles.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretengineroles.yaml new file mode 100644 index 00000000000..70b4c4ebd0f --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretengineroles.yaml @@ -0,0 +1,266 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: quaysecretengineroles.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: QuaySecretEngineRole + listKind: QuaySecretEngineRoleList + plural: quaysecretengineroles + singular: quaysecretenginerole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: QuaySecretEngineRole is the Schema for the quaysecretengineroles + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: QuaySecretEngineRoleSpec defines the desired state of QuaySecretEngineRole + properties: + TTL: + description: TTL Time-to-Live for the credential + type: string + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + createRepositories: + default: false + description: CreateRepositories Access to create Quay repositories. + type: boolean + defaultPermission: + description: DefaultPermission Permissions granted to the Robot Account + in newly created repositories + enum: + - admin + - read + - write + type: string + maxTTL: + description: MaxTTL Maximum Time-to-Live for the credential + type: string + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + namespaceName: + description: NamespaceName Name of the Quay account. + type: string + namespaceType: + default: organization + description: NamespaceType Type of account namespace to manage. + enum: + - organization + - user + type: string + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + repositories: + additionalProperties: + enum: + - admin + - read + - write + type: string + description: Teams Permissions granted to the Robot Account to Repositories. + type: object + teams: + additionalProperties: + enum: + - admin + - creator + - member + type: string + description: Teams Permissions granted to the Robot Account to Teams. + type: object + type: object + status: + description: QuaySecretEngineRoleStatus defines the observed state of + QuaySecretEngineRole + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretenginestaticroles.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretenginestaticroles.yaml new file mode 100644 index 00000000000..840f734bfec --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_quaysecretenginestaticroles.yaml @@ -0,0 +1,261 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: quaysecretenginestaticroles.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: QuaySecretEngineStaticRole + listKind: QuaySecretEngineStaticRoleList + plural: quaysecretenginestaticroles + singular: quaysecretenginestaticrole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: QuaySecretEngineStaticRole is the Schema for the quaysecretenginestaticroles + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: QuaySecretEngineStaticRoleSpec defines the desired state + of QuaySecretEngineStaticRole + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + createRepositories: + default: false + description: CreateRepositories Access to create Quay repositories. + type: boolean + defaultPermission: + description: DefaultPermission Permissions granted to the Robot Account + in newly created repositories + enum: + - admin + - read + - write + type: string + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + namespaceName: + description: NamespaceName Name of the Quay account. + type: string + namespaceType: + default: organization + description: NamespaceType Type of account namespace to manage. + enum: + - organization + - user + type: string + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/{spec.path}/static-roles/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + repositories: + additionalProperties: + enum: + - admin + - read + - write + type: string + description: Teams Permissions granted to the Robot Account to Repositories. + type: object + teams: + additionalProperties: + enum: + - admin + - creator + - member + type: string + description: Teams Permissions granted to the Robot Account to Teams. + type: object + type: object + status: + description: QuaySecretEngineStaticRoleStatus defines the observed state + of QuaySecretEngineStaticRole + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_rabbitmqsecretengineconfigs.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_rabbitmqsecretengineconfigs.yaml new file mode 100644 index 00000000000..724236e75b0 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_rabbitmqsecretengineconfigs.yaml @@ -0,0 +1,341 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: rabbitmqsecretengineconfigs.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: RabbitMQSecretEngineConfig + listKind: RabbitMQSecretEngineConfigList + plural: rabbitmqsecretengineconfigs + singular: rabbitmqsecretengineconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RabbitMQSecretEngineConfig is the Schema for the rabbitmqsecretengineconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RabbitMQSecretEngineConfigSpec defines the desired state + of RabbitMQSecretEngineConfig + properties: + authentication: + description: Authentication is the k8s auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + connectionURI: + description: ConnectionURL Specifies the connection string used to + connect to the RabbitMQ cluster. + pattern: ^(http|https):\/\/.+$ + type: string + leaseMaxTTL: + description: Lease maximum TTL for generated credentials in seconds. + type: integer + leaseTTL: + description: Lease TTL for generated credentials in seconds. + type: integer + passwordPolicy: + description: PasswordPolicy The name of the password policy to use + when generating passwords for this engine. Defaults to generating + an alphanumeric password if not set. + type: string + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}/config/connection. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + rootCredentials: + description: RootCredentials specifies how to retrieve the credentials + for this RabbitMQEngine connection. + properties: + passwordKey: + default: password + description: PasswordKey key to be used when retrieving the password, + required with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + randomSecret: + description: 'RandomSecret retrieves the credentials from the + Vault secret corresponding to this RandomSecret. This will map + the "username" and "password" keys of the secret to the username + and password of this config. All other keys will be ignored. + If the RandomSecret is refreshed the operator retrieves the + new secret from Vault and updates this configuration. Only one + of RootCredentialsFromVaultSecret or RootCredentialsFromSecret + or RootCredentialsFromRandomSecret can be specified. When using + randomSecret a username must be specified in the spec.username + password: Specifies the password to use when connecting with + the username. This value will not be returned by Vault when + performing a read upon the configuration. This is typically + used in the connection_url field via the templating directive + "{{"password"}}"".' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + secret: + description: 'Secret retrieves the credentials from a Kubernetes + secret. The secret must be of basicauth type (https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). + This will map the "username" and "password" keys of the secret + to the username and password of this config. If the kubernetes + secret is updated, this configuration will also be updated. + All other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + usernameKey: + default: username + description: UsernameKey key to be used when retrieving the username, + optional with VaultSecrets and Kubernetes secrets, ignored with + RandomSecret + type: string + vaultSecret: + description: 'VaultSecret retrieves the credentials from a Vault + secret. This will map the "username" and "password" keys of + the secret to the username and password of this config. All + other keys will be ignored. Only one of RootCredentialsFromVaultSecret + or RootCredentialsFromSecret or RootCredentialsFromRandomSecret + can be specified. username: Specifies the name of the user to + use as the "root" user when connecting to the database. This + "root" user is used to create/update/delete users managed by + these plugins, so you will need to ensure that this user has + permissions to manipulate users appropriate to the database. + This is typically used in the connection_url field via the templating + directive "{{"username"}}" or "{{"name"}}". password: Specifies + the password to use when connecting with the username. This + value will not be returned by Vault when performing a read upon + the configuration. This is typically used in the connection_url + field via the templating directive "{{"password"}}". If username + is provided as spec.username, it takes precedence over the username + retrieved from the referenced secret' + properties: + path: + description: Path is the path to the secret + type: string + type: object + type: object + username: + description: Username Specifies the name of the user to use as the + "administrator" user when connecting to the RabbitMQ cluster. This + "administrator" user is used to create/update/delete users, so you + will need to ensure that this user has permissions to manipulate + users. If management plugin is used, this user need to have "administrator" + tag, no additional permissions necessary. If username is provided + it takes precedence over the username retrieved from the referenced + secrets + type: string + usernameTemplate: + description: UsernameTemplate Vault username template describing how + dynamic usernames are generated. + type: string + verifyConnection: + description: VerifyConnection Specifies if the connection is verified + during initial configuration. Defaults to true. + type: boolean + type: object + status: + description: RabbitMQSecretEngineConfigStatus defines the observed state + of RabbitMQSecretEngineConfig + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_rabbitmqsecretengineroles.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_rabbitmqsecretengineroles.yaml new file mode 100644 index 00000000000..5ed69b66338 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_rabbitmqsecretengineroles.yaml @@ -0,0 +1,282 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: rabbitmqsecretengineroles.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: RabbitMQSecretEngineRole + listKind: RabbitMQSecretEngineRoleList + plural: rabbitmqsecretengineroles + singular: rabbitmqsecretenginerole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RabbitMQSecretEngineRole is the Schema for the rabbitmqsecretengineroles + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RabbitMQSecretEngineRoleSpec defines the desired state of + RabbitMQSecretEngineRole + properties: + authentication: + description: Authentication is the k8s auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + path: + description: Path at which to make the configuration. The final path + in Vault will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + tags: + description: Comma-separated RabbitMQ permissions tags to associate + with the user. This determines the level of access to the RabbitMQ + management UI granted to the user. Omitting this field will lead + to a user than can still connect to the cluster through messaging + protocols, but cannot perform any management actions. + type: string + vhostTopics: + description: This option requires RabbitMQ 3.7.0 or later. + items: + properties: + topics: + description: List of topics to provide + items: + properties: + permissions: + description: Permissions to grant to the user in the specific + vhost + properties: + configure: + type: string + read: + type: string + write: + type: string + type: object + topicName: + description: Name of an existing topic. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + vhostName: + description: Name of an existing vhost. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + vhosts: + items: + properties: + permissions: + description: Permissions to grant to the user in the specific + vhost. + properties: + configure: + type: string + read: + type: string + write: + type: string + type: object + vhostName: + description: Name of an existing vhost. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + required: + - authentication + - path + type: object + status: + description: RabbitMQSecretEngineRoleStatus defines the observed state + of RabbitMQSecretEngineRole + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_randomsecrets.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_randomsecrets.yaml new file mode 100644 index 00000000000..937813dfc3e --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_randomsecrets.yaml @@ -0,0 +1,264 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: randomsecrets.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: RandomSecret + listKind: RandomSecretList + plural: randomsecrets + singular: randomsecret + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RandomSecret is the Schema for the randomsecrets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RandomSecretSpec defines the desired state of RandomSecret + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + isKVSecretsEngineV2: + default: false + description: IsKVSecretsEngineV2 indicates if the KV Secrets engine + is V2 or not. Default is false to indicate the payload to send is + for KV Secret Engine V1. + type: boolean + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + path: + description: Path at which to create the secret. The final path in + Vault will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}. + If IsKVSecretsEngineV2 is false, the authentication role must have + the following capabilities = [ "create", "update", "delete"] on + the {[spec.authentication.namespace]}/{spec.path}/{metadata.name} + path. If IsKVSecretsEngineV2 is true, the authentication role must + have the following capabilities = [ "create", "update"] on the {[spec.authentication.namespace]}/{spec.path}/data/{metadata.name} + path and capabilities = [ "delete"] on the {[spec.authentication.namespace]}/{spec.path}/metadata/{metadata.name} + path. Additionally, if IsKVSecretsEngineV2 is true, it is acceptable + for this value to have a suffix of "/data" or not. This suffix is + no longer needed but still supported for backwards compatibility. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + refreshPeriod: + description: RefreshPeriod if specified, the operator will refresh + the secret with the given frequency. This will also set the ttl + of the secret which provides a hint for how often consumers should + check back for a new value when reading the secret's lease_duration. + type: string + secretFormat: + description: SecretFormat specifies a map of key and password policies + used to generate random values + properties: + inlinePasswordPolicy: + description: InlinePasswordPolicy is an inline password policy + specified using Vault password policy syntax (https://www.vaultproject.io/docs/concepts/password-policies#password-policy-syntax) + Only one of PasswordPolicyName or InlinePasswordPolicy can be + specified + type: string + passwordPolicyName: + description: PasswordPolicyName a ref to a password policy defined + in Vault. Notice that in order to use this, the Vault role you + use needs the following capabilities = ["read"] on /sys/policy/password. + Only one of PasswordPolicyName or InlinePasswordPolicy can be + specified + type: string + type: object + secretKey: + description: SecretKey is the key to be used for this secret when + stored in Vault kv + type: string + type: object + status: + description: RandomSecretStatus defines the observed state of RandomSecret + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastVaultSecretUpdate: + description: LastVaultSecretUpdate last time when this secret was + updated in Vault + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_secretenginemounts.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_secretenginemounts.yaml new file mode 100644 index 00000000000..9d0c3a73227 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_secretenginemounts.yaml @@ -0,0 +1,306 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: secretenginemounts.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: SecretEngineMount + listKind: SecretEngineMountList + plural: secretenginemounts + singular: secretenginemount + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SecretEngineMount is the Schema for the secretenginemounts API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SecretEngineMountSpec defines the desired state of SecretEngineMount + properties: + authentication: + description: Authentication is the kube auth configuration to be used + to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used in all + the operations withing this connection/authentication. Only + available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this kube auth + authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used for the + kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + config: + description: Specifies configuration options for this mount; if set + on a specific mount, values will override any global defaults (e.g. + the system TTL/Max TTL) + properties: + allowedResponseHeaders: + description: AllowedResponseHeaders list of headers to whitelist, + allowing a plugin to include them in the response. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + auditNonHMACRequestKeys: + description: AuditNonHMACRequestKeys list of keys that will not + be HMAC'd by audit devices in the request data object. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + auditNonHMACResponseKeys: + description: AuditNonHMACResponseKeys list of keys that will not + be HMAC'd by audit devices in the response data object. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + defaultLeaseTTL: + description: DefaultLeaseTTL The default lease duration, specified + as a string duration like "5s" or "30m". + type: string + forceNoCache: + default: false + description: ForceNoCache Disable caching. + type: boolean + listingVisibility: + default: hidden + description: ListingVisibility Specifies whether to show this + mount in the UI-specific listing endpoint. Valid values are + "unauth" or "hidden". If not set, behaves like "hidden" + enum: + - unauth + - hidden + type: string + maxLeaseTTL: + description: MaxLeaseTTL The maximum lease duration, specified + as a string duration like "5s" or "30m". + type: string + passthroughRequestHeaders: + description: PassthroughRequestHeaders list of headers to whitelist + and pass from the request to the plugin. kubebuilder:validation:UniqueItems=true + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + connection: + description: Connection represents the information needed to connect + to Vault. This operator uses the standard Vault environment variables + to connect to Vault. If you need to override those settings and + for example connect to a different Vault instance, you can do with + this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed as + a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three total + attempts. Set this to 0 or less to disable retrying. Error codes + that are retried are 412 (client consistency requirement not + satisfied) and all 5xx except for 501 (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate file + on the local disk. This file is used to verify the Vault + server's SSL certificate. This environment variable takes + precedence over a cert passed via the secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented certificate + before communicating with it. Setting this variable is not + recommended and voids Vault's security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected keys for + the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", + key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host when + connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value is 60s. + type: string + type: object + description: + description: Description Specifies the human-friendly description + of the mount. + type: string + externalEntropyAccess: + default: false + description: ExternalEntropyAccess Enable the secrets engine to access + Vault's external entropy source. + type: boolean + local: + default: false + description: Local Specifies if the secrets engine is a local mount + only. Local mounts are not replicated nor (if a secondary) removed + by replication. + type: boolean + name: + description: The name of the obejct created in Vault. If this is specified + it takes precedence over {metatada.name} + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + options: + additionalProperties: + type: string + description: Options Specifies mount type specific options that are + passed to the backend. + type: object + x-kubernetes-map-type: granular + path: + description: Path at which this secret engine will be available The + final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}. + The authentication role must have the following capabilities = [ + "create", "read", "update", "delete"] on that path /sys/mounts/{[spec.authentication.namespace]}/{spec.path}/{metadata.name}. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + sealWrap: + default: false + description: SealWrap Enable seal wrapping for the mount, causing + values stored by the mount to be wrapped by the seal's encryption + capability. + type: boolean + type: + description: Type Specifies the type of the backend, such as "aws". + type: string + type: object + status: + description: SecretEngineMountStatus defines the observed state of SecretEngineMount + properties: + accessor: + type: string + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_vaultsecrets.yaml b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_vaultsecrets.yaml new file mode 100644 index 00000000000..c51fde9ccd5 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/redhatcop.redhat.io_vaultsecrets.yaml @@ -0,0 +1,321 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: vaultsecrets.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: VaultSecret + listKind: VaultSecretList + plural: vaultsecrets + singular: vaultsecret + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: VaultSecret is the Schema for the vaultsecrets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VaultSecretSpec defines the desired state of VaultSecret + properties: + output: + description: TemplatizedK8sSecret is the formatted K8s Secret created + by templating from the Vault KV secrets. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are annotations to add to the final K8s + Secret. + type: object + labels: + additionalProperties: + type: string + description: Labels are labels to add to the final K8s Secret. + type: object + name: + description: Name is the K8s Secret name to output to. + type: string + stringData: + additionalProperties: + type: string + description: StringData is the K8s Secret stringData and allows + specifying non-binary secret data in string form with go templating + support to transform the Vault KV secrets into a formatted K8s + Secret. The Sprig template library and Helm functions (like + toYaml) are supported. + type: object + type: + description: Type is the K8s Secret type to output to. + type: string + type: object + refreshPeriod: + description: RefreshPeriod if specified, the operator will refresh + the secret with the given frequency. This takes precedence over + any vault secret lease duration and can be used to force a refresh. + type: string + refreshThreshold: + default: 90 + description: RefreshThreshold if specified, will instruct the operator + to refresh when a percentage of the lease duration is met when there + is no RefreshPeriod specified. This is particularly useful for controlling + when dynamic secrets should be refreshed before the lease duration + is exceeded. The default is 90, meaning the secret would refresh + after 90% of the time has passed from the vault secret's lease duration. + type: integer + vaultSecretDefinitions: + description: VaultSecretDefinitions are the secrets in Vault. + items: + properties: + authentication: + description: Authentication is the kube auth configuraiton to + be used to execute this request + properties: + namespace: + description: Namespace is the Vault namespace to be used + in all the operations withing this connection/authentication. + Only available in Vault Enterprise. + type: string + path: + default: kubernetes + description: Path is the path of the role used for this + kube auth authentication. The operator will try to authenticate + at {[namespace/]}auth/{spec.path} + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + role: + description: Role the role to be used during authentication + type: string + serviceAccount: + default: + name: default + description: ServiceAccount is the service account used + for the kube auth authentication + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + connection: + description: Connection represents the information needed to + connect to Vault. This operator uses the standard Vault environment + variables to connect to Vault. If you need to override those + settings and for example connect to a different Vault instance, + you can do with this section of the CR. + properties: + address: + description: 'Address Address of the Vault server expressed + as a URL and port, for example: https://127.0.0.1:8200/' + type: string + maxRetries: + description: MaxRetries Maximum number of retries when certain + error codes are encountered. The default is 2, for three + total attempts. Set this to 0 or less to disable retrying. + Error codes that are retried are 412 (client consistency + requirement not satisfied) and all 5xx except for 501 + (not implemented). + type: integer + tLSConfig: + properties: + cacert: + description: Cacert Path to a PEM-encoded CA certificate + file on the local disk. This file is used to verify + the Vault server's SSL certificate. This environment + variable takes precedence over a cert passed via the + secret. + type: string + skipVerify: + description: SkipVerify Do not verify Vault's presented + certificate before communicating with it. Setting + this variable is not recommended and voids Vault's + security model. + type: boolean + tlsSecret: + description: 'TLSSecret namespace-local secret containing + the tls material for the connection. the expected + keys for the secret are: ca bundle -> "ca.crt", certificate + -> "tls.crt", key -> "tls.key"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + tlsServerName: + description: TLSServerName Name to use as the SNI host + when connecting via TLS. + type: string + type: object + timeOut: + description: Timeout Timeout variable. The default value + is 60s. + type: string + type: object + name: + description: Name is an arbitrary, but unique, name for this + KV Vault secret and referenced when templating. + type: string + path: + default: kubernetes + description: Path is the path of the secret. + pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/? + type: string + requestPayload: + additionalProperties: + type: string + description: RequestPayload for POST type of requests, this + field contains the payload of the request. Not used for GET + requests. + type: object + requestType: + default: GET + description: RequestType the type of request needed to retrieve + a secret. Normally a GET, but some secret engnes require a + POST. + enum: + - GET + - POST + type: string + type: object + type: array + type: object + status: + description: VaultSecretStatus defines the observed state of VaultSecret + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastVaultSecretUpdate: + description: LastVaultSecretUpdate the last time when this secret + was updated from Vault + format: date-time + type: string + nextVaultSecretUpdate: + description: NextVaultSecretUpdate the next time when this secret + will be synced with Vault. If nil, it will not be refreshed. + format: date-time + type: string + vaultSecretDefinitionsStatus: + description: VaultSecretDefinitionsStatus information used to determine + if the secret should be rereconciled + items: + properties: + lease_duration: + description: LeaseDuration is the time until the secret should + be read in again, thus recreating the k8s Secret + type: integer + lease_id: + description: LeaseID is the id of a lease, this denotes the + secret is dynamic + type: string + name: + description: Name is an arbitrary, but unique, name for this + KV Vault secret and referenced when templating. + type: string + renewable: + description: Renewable informs if the lease is renewable for + the dynamic secret + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml new file mode 100644 index 00000000000..229d0d474b4 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml @@ -0,0 +1,22 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: vault-config-operator + name: vault-config-operator-controller-manager-metrics-monitor +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s + port: https + scheme: https + tlsConfig: + ca: + secret: + key: tls.crt + name: vault-config-operator-certs + optional: false + serverName: vault-config-operator-controller-manager-metrics-service.vault-config-operator.svc + selector: + matchLabels: + control-plane: vault-config-operator diff --git a/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-controller-manager-metrics-service_v1_service.yaml b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-controller-manager-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..ba43a2af120 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-controller-manager-metrics-service_v1_service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + service.alpha.openshift.io/serving-cert-secret-name: vault-config-operator-certs + creationTimestamp: null + labels: + control-plane: vault-config-operator + name: vault-config-operator-controller-manager-metrics-service +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: vault-config-operator +status: + loadBalancer: {} diff --git a/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-manager-config_v1_configmap.yaml b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-manager-config_v1_configmap.yaml new file mode 100644 index 00000000000..f57658a8a0b --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-manager-config_v1_configmap.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 3d7d3a62.redhat.io +kind: ConfigMap +metadata: + name: vault-config-operator-manager-config diff --git a/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..a9b2d150b01 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: vault-config-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..f4e86d3c5dc --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: vault-config-operator-prometheus-k8s +rules: +- apiGroups: + - "" + resources: + - endpoints + - pods + - services + verbs: + - get + - list + - watch diff --git a/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-prometheus-k8s_rbac.authorization.k8s.io_v1_rolebinding.yaml b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-prometheus-k8s_rbac.authorization.k8s.io_v1_rolebinding.yaml new file mode 100644 index 00000000000..a3e30e65635 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-prometheus-k8s_rbac.authorization.k8s.io_v1_rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: vault-config-operator-prometheus-k8s +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-config-operator-prometheus-k8s +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-webhook-service_v1_service.yaml b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-webhook-service_v1_service.yaml new file mode 100644 index 00000000000..9ec33d265c0 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator-webhook-service_v1_service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: vault-config-operator-webhook-service +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: vault-config-operator +status: + loadBalancer: {} diff --git a/operators/vault-config-operator/0.8.25/manifests/vault-config-operator.clusterserviceversion.yaml b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator.clusterserviceversion.yaml new file mode 100644 index 00000000000..bfe64285b0e --- /dev/null +++ b/operators/vault-config-operator/0.8.25/manifests/vault-config-operator.clusterserviceversion.yaml @@ -0,0 +1,2708 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "AuthEngineMount", + "metadata": { + "name": "authenginemount-sample" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "path": "kube-authengine-mount-sample", + "type": "kubernetes" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "DatabaseSecretEngineConfig", + "metadata": { + "name": "my-postgresql-database" + }, + "spec": { + "allowedRoles": [ + "read-only" + ], + "authentication": { + "path": "kubernetes", + "role": "database-engine-admin" + }, + "connectionURL": "postgresql://{{username}}:{{password}}@my-postgresql-database.test-vault-config-operator.svc:5432", + "path": "test-vault-config-operator/database", + "pluginName": "postgresql-database-plugin", + "rootCredentials": { + "passwordKey": "postgresql-password", + "secret": { + "name": "postgresql-admin-password" + } + }, + "username": "postgres" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "DatabaseSecretEngineRole", + "metadata": { + "name": "read-only" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "database-engine-admin" + }, + "creationStatements": [ + "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" + ], + "dBName": "my-postgresql-database", + "defaultTTL": "1h", + "maxTTL": "24h", + "path": "test-vault-config-operator/database" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "DatabaseSecretEngineStaticRole", + "metadata": { + "labels": { + "app.kubernetes.io/created-by": "vault-config-operator", + "app.kubernetes.io/instance": "databasesecretenginestaticrole-sample", + "app.kubernetes.io/managed-by": "kustomize", + "app.kubernetes.io/name": "databasesecretenginestaticrole", + "app.kubernetes.io/part-of": "vault-config-operator" + }, + "name": "databasesecretenginestaticrole-sample" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "database-engine-admin" + }, + "dBName": "db-name", + "path": "test-vault-config-operator/database", + "rotationPeriod": "24h", + "rotationStatements": [ + "ALTER ROLE \"{{name}}\" WITH PASSWORD '{{password}}';git add" + ], + "username": "db-user" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "GitHubSecretEngineConfig", + "metadata": { + "name": "githubsecretengineconfig-sample" + }, + "spec": null + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "GitHubSecretEngineRole", + "metadata": { + "name": "githubsecretenginerole-sample" + }, + "spec": null + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "Group", + "metadata": { + "labels": { + "app.kubernetes.io/created-by": "vault-config-operator", + "app.kubernetes.io/instance": "group-sample", + "app.kubernetes.io/managed-by": "kustomize", + "app.kubernetes.io/name": "group", + "app.kubernetes.io/part-of": "vault-config-operator" + }, + "name": "group-sample" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "metadata": { + "team": "team-abc" + }, + "policies": [ + "team-abc-access" + ], + "type": "external" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "GroupAlias", + "metadata": { + "labels": { + "app.kubernetes.io/created-by": "vault-config-operator", + "app.kubernetes.io/instance": "groupalias-sample", + "app.kubernetes.io/managed-by": "kustomize", + "app.kubernetes.io/name": "groupalias", + "app.kubernetes.io/part-of": "vault-config-operator" + }, + "name": "groupalias-sample" + }, + "spec": { + "authEngineMountPath": "kubernetes", + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "groupName": "group-sample" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "JWTOIDCAuthEngineConfig", + "metadata": { + "name": "azure-oidc-config" + }, + "spec": { + "OIDCClientID": "000000000-0000-0000-0000-000000000", + "OIDCCredentials": { + "passwordKey": "oidc_client_secret", + "secret": { + "name": "oidccredentials" + }, + "usernameKey": "oidc_client_id" + }, + "OIDCDiscoveryURL": "https://login.microsoftonline.com/000000000-0000-0000-0000-000000000/v2.0", + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "path": "oidc/azuread-oidc/" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "JWTOIDCAuthEngineRole", + "metadata": { + "name": "azure-oidc-dev-role" + }, + "spec": { + "OIDCScopes": [ + "https://graph.microsoft.com/.default" + ], + "allowedRedirectURIs": [ + "http://localhost:8250/oidc/callback", + "http://localhost:8200/ui/vault/auth/oidc/azuread-oidc/oidc/callback" + ], + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "groupsClaim": "groups", + "name": "dev-role", + "path": "oidc-aad/azuread-oidc", + "roleType": "oidc", + "tokenPolicies": [ + "dev", + "prod" + ], + "userClaim": "email" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "KubernetesAuthEngineConfig", + "metadata": { + "name": "kubernetesauthengineconfig-sample" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "path": "kube-authengine-mount-sample" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "KubernetesAuthEngineRole", + "metadata": { + "name": "database-engine-admin" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "path": "kubernetes", + "policies": [ + "database-engine-admin" + ], + "targetNamespaces": { + "targetNamespaceSelector": { + "matchLabels": { + "database-engine-admin": "true" + } + } + } + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "KubernetesSecretEngineConfig", + "metadata": { + "name": "kubernetessecretengineconfig-sample" + }, + "spec": null + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "KubernetesSecretEngineRole", + "metadata": { + "name": "kubernetessecretenginerole-sample" + }, + "spec": null + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "LDAPAuthEngineConfig", + "metadata": { + "name": "ldapauthengineconfig-sample" + }, + "spec": null + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "LDAPAuthEngineGroup", + "metadata": { + "name": "ldapauthenginegroup-sample" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "policy-admin", + "serviceAccount": { + "name": "default" + } + }, + "name": "test-group", + "path": "ldap/test" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "PKISecretEngineConfig", + "metadata": { + "name": "pkisecretengineconfig-sample" + }, + "spec": { + "TTL": "8760h", + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "commonName": "pki-vault-demo.internal.io", + "crlDistributionPoints": [ + "https://vault-internal.vault.svc:8200/v1/test-vault-config-operator/pki/crl\"" + ], + "issuingCertificates": [ + "https://vault-internal.vault.svc:8200/v1/test-vault-config-operator/pki/ca" + ], + "path": "test-vault-config-operator/pki", + "privateKeyType": "internal", + "type": "root" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "PKISecretEngineRole", + "metadata": { + "name": "pkisecretenginerole-sample" + }, + "spec": { + "allowGlobDomains": true, + "allowSubdomains": true, + "allowedDomains": [ + "internal.io", + "pki-vault-demo.svc", + "example.com" + ], + "allowedOtherSans": "*", + "allowedURISans": [ + "*-pki-vault-demo.apps.example.com" + ], + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "maxTTL": "8760h", + "path": "test-vault-config-operator/pki" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "PasswordPolicy", + "metadata": { + "name": "simple-password-policy" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "passwordPolicy": "length = 20\nrule \"charset\" {\n charset = \"abcdefghijklmnopqrstuvwxyz\"\n}\n" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "Policy", + "metadata": { + "name": "database-engine-admin" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "policy-admin" + }, + "policy": "# mount database secrets engines\npath \"/sys/mounts/{{identity.entity.aliases.${auth/kubernetes/@accessor}.metadata.service_account_namespace}}/database\" {\n capabilities = [ \"create\", \"read\", \"update\", \"delete\"]\n allowed_parameters = {\n \"type\" = [\"database\"]\n \"*\" = []\n }\n}\n\n# tune database secrets engines\npath \"/sys/mounts/{{identity.entity.aliases.${auth/kubernetes/@accessor}.metadata.service_account_namespace}}/database/tune\" {\n capabilities = [ \"create\", \"read\", \"update\", \"delete\"]\n}\n\n# Configure database secrets engines\npath \"/{{identity.entity.aliases.${auth/kubernetes/@accessor}.metadata.service_account_namespace}}/database/config/+\" {\n capabilities = [ \"create\", \"read\", \"update\", \"delete\"]\n}\n\n# Configure database roles\npath \"/{{identity.entity.aliases.${auth/kubernetes/@accessor}.metadata.service_account_namespace}}/database/roles/+\" {\n capabilities = [ \"create\", \"read\", \"update\", \"delete\"]\n}\n" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "QuaySecretEngineConfig", + "metadata": { + "name": "quaysecretengineconfig-sample" + }, + "spec": { + "foo": "bar" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "QuaySecretEngineRole", + "metadata": { + "name": "quaysecretenginerole-sample" + }, + "spec": { + "foo": "bar" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "QuaySecretEngineStaticRole", + "metadata": { + "name": "quaysecretenginestaticrole-sample" + }, + "spec": { + "foo": "bar" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "RabbitMQSecretEngineConfig", + "metadata": { + "name": "rabbitmqsecretengineconfig-sample" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "rabbitMQ-engine-admin" + }, + "connectionURI": "https://test.com", + "leaseMaxTTL": 86400, + "leaseTTL": 86400, + "path": "vault-config-operator/rabbitmq" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "RabbitMQSecretEngineRole", + "metadata": { + "name": "rabbitmqsecretenginerole-sample" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "rabbitmq-engine-admin" + }, + "path": "vault-config-operator/rabbitmq", + "tags": "administrator", + "vhostTopics": [ + { + "topics": [ + { + "permissions": { + "configure": ".*", + "read": ".*", + "write": ".*" + }, + "topicName": "my-topic" + }, + { + "permissions": { + "read": ".*" + }, + "topicName": "my-read-topic" + } + ], + "vhostName": "/" + } + ], + "vhosts": [ + { + "permissions": { + "configure": ".*", + "read": ".*", + "write": ".*" + }, + "vhostName": "/" + }, + { + "permissions": { + "read": "my-queue", + "write": "my-exchange" + }, + "vhostName": "my-vhost" + } + ] + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "RandomSecret", + "metadata": { + "name": "randomsecret-password" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "secret-writer" + }, + "path": "test-vault-config-operator/kv", + "secretFormat": { + "passwordPolicyName": "simple-password-policy" + }, + "secretKey": "password" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "SecretEngineMount", + "metadata": { + "name": "database" + }, + "spec": { + "authentication": { + "path": "kubernetes", + "role": "database-engine-admin" + }, + "path": "test-vault-config-operator", + "type": "database" + } + }, + { + "apiVersion": "redhatcop.redhat.io/v1alpha1", + "kind": "VaultSecret", + "metadata": { + "name": "vaultsecret-sample" + }, + "spec": { + "output": { + "annotations": { + "refresh": "every-minute" + }, + "labels": { + "app": "test-vault-config-operator" + }, + "name": "randomsecret", + "stringData": { + "anotherpassword": "{{ .anotherrandomsecret.password }}", + "password": "{{ .randomsecret.password }}" + }, + "type": "Opaque" + }, + "refreshPeriod": "3m0s", + "vaultSecretDefinitions": [ + { + "authentication": { + "path": "kubernetes", + "role": "secret-reader", + "serviceAccount": { + "name": "default" + } + }, + "name": "randomsecret", + "path": "test-vault-config-operator/kv/randomsecret-password" + }, + { + "authentication": { + "path": "kubernetes", + "role": "secret-reader", + "serviceAccount": { + "name": "default" + } + }, + "name": "anotherrandomsecret", + "path": "test-vault-config-operator/kv/another-password" + } + ] + } + } + ] + capabilities: Full Lifecycle + categories: Security + certified: 'false' + containerImage: quay.io/redhat-cop/vault-config-operator@sha256:05ac28c0eaf47e9d4f6e343d68ffbd0b2459c475525c217f6b18ed20a176a596 + createdAt: "2023-12-04T17:22:00Z" + description: This operator provides primitives to declaratively configure Hashicorp Vault. + operatorframework.io/cluster-monitoring: 'true' + operatorframework.io/suggested-namespace: vault-config-operator + operators.openshift.io/infrastructure-features: '["Disconnected"]' + operators.operatorframework.io/builder: operator-sdk-v1.25.3 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 + repository: https://github.com/redhat-cop/vault-config-operator + support: Best Effort + labels: + operatorframework.io/arch.amd64: supported + operatorframework.io/arch.arm64: supported + operatorframework.io/arch.ppc64le: supported + operatorframework.io/arch.s390x: supported + operatorframework.io/os.linux: supported + name: vault-config-operator.v0.8.25 + namespace: placeholder +spec: + annotations: + service.beta.openshift.io/inject-cabundle: 'true' + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: AuthEngineMount is the Schema for the authenginemounts API + displayName: Auth Engine Mount + kind: AuthEngineMount + name: authenginemounts.redhatcop.redhat.io + version: v1alpha1 + - description: DatabaseSecretEngineConfig is the Schema for the databasesecretengineconfigs API + displayName: Database Secret Engine Config + kind: DatabaseSecretEngineConfig + name: databasesecretengineconfigs.redhatcop.redhat.io + version: v1alpha1 + - description: DatabaseSecretEngineRole is the Schema for the databasesecretengineroles API + displayName: Database Secret Engine Role + kind: DatabaseSecretEngineRole + name: databasesecretengineroles.redhatcop.redhat.io + version: v1alpha1 + - description: DatabaseSecretEngineStaticRole is the Schema for the databasesecretenginestaticroles API + displayName: Database Secret Engine Static Role + kind: DatabaseSecretEngineStaticRole + name: databasesecretenginestaticroles.redhatcop.redhat.io + version: v1alpha1 + - description: GitHubSecretEngineConfig is the Schema for the githubsecretengineconfigs API + displayName: Git Hub Secret Engine Config + kind: GitHubSecretEngineConfig + name: githubsecretengineconfigs.redhatcop.redhat.io + version: v1alpha1 + - description: GitHubSecretEngineRole is the Schema for the githubsecretengineroles API + displayName: Git Hub Secret Engine Role + kind: GitHubSecretEngineRole + name: githubsecretengineroles.redhatcop.redhat.io + version: v1alpha1 + - description: GroupAlias is the Schema for the groupalias API + displayName: Group Alias + kind: GroupAlias + name: groupaliases.redhatcop.redhat.io + version: v1alpha1 + - description: Group is the Schema for the groups API + displayName: Group + kind: Group + name: groups.redhatcop.redhat.io + version: v1alpha1 + - description: JWTOIDCAuthEngineConfig is the Schema for the jwtoidcauthengineconfigs API + displayName: JWTOIDCAuth Engine Config + kind: JWTOIDCAuthEngineConfig + name: jwtoidcauthengineconfigs.redhatcop.redhat.io + version: v1alpha1 + - description: JWTOIDCAuthEngineRole is the Schema for the jwtoidcauthengineroles API + displayName: JWTOIDCAuth Engine Role + kind: JWTOIDCAuthEngineRole + name: jwtoidcauthengineroles.redhatcop.redhat.io + version: v1alpha1 + - description: KubernetesAuthEngineConfig is the Schema for the kubernetesauthengineconfigs API + displayName: Kubernetes Auth Engine Config + kind: KubernetesAuthEngineConfig + name: kubernetesauthengineconfigs.redhatcop.redhat.io + version: v1alpha1 + - description: KubernetesAuthEngineRole can be used to define a KubernetesAuthEngineRole for the kube-auth authentication method + displayName: Kubernetes Auth Engine Role + kind: KubernetesAuthEngineRole + name: kubernetesauthengineroles.redhatcop.redhat.io + version: v1alpha1 + - description: KubernetesSecretEngineConfig is the Schema for the kubernetessecretengineconfigs API + displayName: Kubernetes Secret Engine Config + kind: KubernetesSecretEngineConfig + name: kubernetessecretengineconfigs.redhatcop.redhat.io + version: v1alpha1 + - description: KubernetesSecretEngineRole is the Schema for the kubernetessecretengineroles API + displayName: Kubernetes Secret Engine Role + kind: KubernetesSecretEngineRole + name: kubernetessecretengineroles.redhatcop.redhat.io + version: v1alpha1 + - description: LDAPAuthEngineConfig is the Schema for the ldapauthengineconfigs API + displayName: LDAPAuth Engine Config + kind: LDAPAuthEngineConfig + name: ldapauthengineconfigs.redhatcop.redhat.io + version: v1alpha1 + - description: LDAPAuthEngineGroup is the Schema for the ldapauthenginegroups API + displayName: LDAPAuth Engine Group + kind: LDAPAuthEngineGroup + name: ldapauthenginegroups.redhatcop.redhat.io + version: v1alpha1 + - description: PasswordPolicy is the Schema for the passowordpolicies API + displayName: Password Policy + kind: PasswordPolicy + name: passwordpolicies.redhatcop.redhat.io + version: v1alpha1 + - description: PKISecretEngineConfig is the Schema for the pkisecretengineconfigs API + displayName: PKISecret Engine Config + kind: PKISecretEngineConfig + name: pkisecretengineconfigs.redhatcop.redhat.io + version: v1alpha1 + - description: PKISecretEngineRole is the Schema for the pkisecretengineroles API + displayName: PKISecret Engine Role + kind: PKISecretEngineRole + name: pkisecretengineroles.redhatcop.redhat.io + version: v1alpha1 + - description: Policy is the Schema for the policies API + displayName: Policy + kind: Policy + name: policies.redhatcop.redhat.io + version: v1alpha1 + - description: QuaySecretEngineConfig is the Schema for the quaysecretengineconfigs API + displayName: Quay Secret Engine Config + kind: QuaySecretEngineConfig + name: quaysecretengineconfigs.redhatcop.redhat.io + version: v1alpha1 + - description: QuaySecretEngineRole is the Schema for the quaysecretengineroles API + displayName: Quay Secret Engine Role + kind: QuaySecretEngineRole + name: quaysecretengineroles.redhatcop.redhat.io + version: v1alpha1 + - description: QuaySecretEngineStaticRole is the Schema for the quaysecretenginestaticroles API + displayName: Quay Secret Engine Static Role + kind: QuaySecretEngineStaticRole + name: quaysecretenginestaticroles.redhatcop.redhat.io + version: v1alpha1 + - description: RabbitMQSecretEngineConfig is the Schema for the rabbitmqsecretengineconfigs API + displayName: Rabbit MQSecret Engine Config + kind: RabbitMQSecretEngineConfig + name: rabbitmqsecretengineconfigs.redhatcop.redhat.io + version: v1alpha1 + - description: RabbitMQSecretEngineRole is the Schema for the rabbitmqsecretengineroles API + displayName: Rabbit MQSecret Engine Role + kind: RabbitMQSecretEngineRole + name: rabbitmqsecretengineroles.redhatcop.redhat.io + version: v1alpha1 + - description: RandomSecret is the Schema for the randomsecrets API + displayName: Random Secret + kind: RandomSecret + name: randomsecrets.redhatcop.redhat.io + version: v1alpha1 + - description: SecretEngineMount is the Schema for the secretenginemounts API + displayName: Secret Engine Mount + kind: SecretEngineMount + name: secretenginemounts.redhatcop.redhat.io + version: v1alpha1 + - description: VaultSecret is the Schema for the vaultsecrets API + displayName: Vault Secret + kind: VaultSecret + name: vaultsecrets.redhatcop.redhat.io + version: v1alpha1 + description: | + This operator helps set up Vault Configurations. The main intent is to do so such that subsequently pods can consume the secrets made available. + There are two main principles through all of the capabilities of this operator: + + 1. high-fidelity API. The CRD exposed by this operator reflect field by field the Vault APIs. This is because we don't want to make any assumption on the kinds of configuration workflow that user will set up. That being said the Vault API is very extensive and we are starting with enough API coverage to support, we think, some simple and very common configuration workflows. + 2. attention to security (after all we are integrating with a security tool). To prevent credential leaks we give no permissions to the operator itself against Vault. All APIs exposed by this operator contains enough information to authenticate to Vault using a local service account (local to the namespace where the API exist). In other word for a namespace user to be abel to successfully configure Vault, a service account in that namespace must have been previously given the needed Vault permissions. + + Currently this operator supports the following CRDs: + + 1. [Policy](https://github.com/redhat-cop/vault-config-operator#policy) Configures Vault [Policies](https://www.vaultproject.io/docs/concepts/policies) + 2. [KubernetesAuthEngineRole](https://github.com/redhat-cop/vault-config-operator#KubernetesAuthEngineRole) Configures a Vault [Kubernetes Authentication](https://www.vaultproject.io/docs/auth/kubernetes) Role + 3. [SecretEngineMount](https://github.com/redhat-cop/vault-config-operator#SecretEngineMount) Configures a Mount point for a [SecretEngine](https://www.vaultproject.io/docs/secrets) + 4. [DatabaseSecretEngineConfig](https://github.com/redhat-cop/vault-config-operator#DatabaseSecretEngineConfig) Configures a [Database Secret Engine](https://www.vaultproject.io/docs/secrets/databases) Connection + 5. [DatabaseSecretEngineRole](https://github.com/redhat-cop/vault-config-operator#DatabaseSecretEngineRole) Configures a [Database Secret Engine](https://www.vaultproject.io/docs/secrets/databases) Role + 6. [RandomSecret](https://github.com/redhat-cop/vault-config-operator#RandomSecret) Creates a random secret in a vault [kv Secret Engine](https://www.vaultproject.io/docs/secrets/kv) with one password field generated using a [PasswordPolicy](https://www.vaultproject.io/docs/concepts/password-policies)vault-config-operator + displayName: Vault Config Operator + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAQAAAAEACAQAAAD2e2DtAAAeeElEQVR42u2debxcRZXHv92vX7+QBAghEVQcIgRBCEmAEEBCEBCIwW2UZcKgYYYlLIEEFXUg6AyggIIQlpHVhS2YoAQIqwoowxbZRIWwBRBFtizkQfJe39td80edW7fu7dv9bnded/p1qs6Hzyf0u327qs6vTp06dRZwzTXXXHPNNddcc80111xzzTXXXHPNNddcc80119bHliFLh6O2oSyZ2pjvWvu1lCDQD41gfw7lEEdtQYeyPyMs7lZFCeT5IctQjtqKlvFDuoTDVVf/YP6AQlGi6KhtqIRC8SCDq0uBLHAVih6KlBy1FRXpQXFlNRmQAbalgKIk/zlqFwo42ssnKsuADuBoFD4lx/42hEAJH8XRwumElgO+g6Lg2N+mECig+I5w2gHAAcABwAHAAcABwAHAASAVAEqiSTpqfVIVOLgWANCv9Z1sGADr3Df86uctQH9awHPUslSwONXPEqCI4g52ZxzjGeeoJWk849idO1HG+t9vACiiWMlwd6k+ANoI3kuUAmsNgBfoJFObb4lrTffjypDnReFYPwPgRbrkznCwo5Ykfc83iJcbC4DdeIM3+IejlqI3eIOJAHQ1GgCT3WGrRWmv5gBgkvMWakmfnxJ7NgcAe1U5azpadw4fygHAAcABwAHAAcABwAHAAcABwAHAAcABwAHAAcABwAFgbQAQOBh5KJ4jL5ZAD98Ej7nJb2MAaAYX8VEolokE2Ff+6rsQsvYHQPCiJVzFLAkp+hd+wC184CDQ7gAI2N/DCXTGEkjAx7nFxRGuHxLgAADydJElS5YOukQW/AIlPqiOBW0pATwUZwGdCTHlncBglib+lKO22QLeZwsJJ/4MVwhdzVmMAPLA6Sg8JwHaEwA+ij/Krr+jnAQC+rXA4oAKQQiO2gQAvxFGT0fRI0EhvSj+zgbiH1h0OsD6AIAjjMavQ0ReZZAAwB0E1wsAfNWKDCyieM0BwAHAbQEOAA4ADgAOAA4ADgAOAI4FDgCOHAAcOQA4cgBw5ADgyAHAkQOAIwcARw4AjhwAHDkAOHIAqHdo8TzlrQq4pH6W2h8AjWRIGJnoySdFCpIHt9SCzC/imYn3xFu6OSBomk+gaqJPYBiWqqlgPJPXbmorVT5Qdb8v2lNfcnbbPR3wADgSRS8+Pj4eitcb7hVcMrnve1nAMUxiDBM4hIv4u+ldWgjY20gRH4+CRDhrsj+pVXwHlRQUiteZyyFMYAyTOJr59DYtfrJhAHhIKk3uFXvZw/L5Pg0SciELFrJtrJ8b8z2KqSAQsrJoRHIa8vAECul+Qffku2wU6+l2LLR6MeAAUETxLsMlNOQkHuURHuFhHmMRYyUyaGZDIoPCiZ8jPeuSoNROyVHwaVai8KowqGSKJXrWp908yx1cwVnM5iimcSiHcjhHMZuzuII7eJbuCBD8quzTf/NQrGBviaDslBDaLpnmM5oCgQaFhvkojhdWh5HBWVNnFBYb8dffw/FRnA1kZEo7GCp6R45OYBdWVIBAyVLJgs9e4jpmsw+bVRq8mYPN2ZuTuY6XLBgUE2WBzf6dgU559yCGyux0kgG+34QQ2gZFB2sZMBroIG8FiOYEEnMaFiDuo/iD6dWmnMOfWcYr3MAEIEsnsHMCBEpGd/DlPf/HaUyU1BYYedJFnhwdQjnydJk1i0zjRE7jIfMePwaCcvZngV2Zx6ss4xl+wHAz1Q82ZJk0QQLobr/GpFiJab0iz7REbX8f/koo9hXZsy1LI38/qgIEQm1cD/55zmRHK5q5K2WpiwxdVj6EHTmTF2Q5eJETRDn7j4r0cynbygj2tUY1oAAQ6re/YiZTRAZsyjT+m782bG/TW8/Twq4unkHRg0+Johywjk2EgF6peuAPcLApb9Flya4R7MERnMbF3Mgi7uNBHuQ+FnEjF/NfHMEejDAwCb85iEO4X0DgmwmPs3+GHFaLlPDpQfEnkZQZnmpwzbUG5wjS//9arF6A3zBDRwHFXKBLVlXBWnWaATMSIBDs+ffyGSPGgzrZo/gql/EoK/ucyPf4I5fxVbY0ki7YPvbjXqMTVGK/b0mIgkirLmCujGqAASBc4wUUL5h6AUXRjxtlAfBQzBLxeb2cM0oWIJOkQA8KxRN8zqxe3bblW/ye1RH9oiCn/pA8CpahSaH4gAc41RxBA1kwlSdQ8mvl7C9Gjp4eiutkFCc3OI9CQ/MEBhHB8TyBjTMA+yiOkR4tighPGwK2FFiGYgWzyQBZEbxdHMZd9Fps9yvY6aP3Db4FhV7u4jAZt1aDM8xmBYplVdgfjmKRjOLogbkFhNTMRJF67XxDhOc1IjyrQ+BT/JKthU0AGzKbJQmn+VIqFTRuQXie2WxovX0rbuJTfbBf9/pKGcU3BrIEUE3PFOrJ1OWBg80WUBkCHWYEGSDHTF6TVe/VeS9nC3JfNKCTyAFZM30dVdgfbAFflFFcLaNyAEg1mPDXMsC9KHoTzuAhBDokfxnAFJ6JrPuoqA8FfTGiAxQTr4TCTUEz7xmmiIaRFdhVYr/u8e0ygqCQm5MAqVefj+IQWT2b8JTZBpIgcCzQQYYMcIGlp4fMD28E/JiqFzc/FSK3ALZVIjhjnA9kyPTB/gKKRxkqI5jW8IyKbZcs2kfxHF2Sjq4vCMwwAnkflkesg+F6t3fgIu/zOn/iIe7nfh7iT7zO+9aUlQwM7A3EQ7GcT5tNpzr7H2Oo9H4ILw5MS+C6A0Aw3deZjIRppIBmS7l1MHTSeJs7OZvD2ZXNGGRNQ45BbMZEDuds7uBNM2avzOq3E9BBB3BsSvbDgoipygEgtTHYR3FZagjMSLQOhnr8BRzAsMh4s3SQIyeyw75uPpALrDNEktUvPfuv6ePW0gGgD3eQ+iHQIyabeRxo7jNzEcNwvGXJm8nJcwA3sibR7FMr+weoP8C6BIANgZ8YCAzjydQQWI6im7lsU2YWzjCM8RzEdGbyDb7OTKZzEOMZZl10BXbEbZhLN4rlLc3+Nq0YEnra1QOBPbia0fK9TpPh/CguZzErElQynxUs5kqOkm+F39uaq9ijpdnftiVjkiHwRAoIdJi1rP+1JbN5UAR6aKr1hKJG2h4e5OtyGdRhval12d/GNYOSILBxKgiEpqFd+DmrIjcCxUSv4KiVYBXXMsEy+7Qy+9u6aFQcArmUEOiQHf2i1DcCSbcAc0VrSHvwy60T9rd51bBQHbyqRghkgX1ZaT1ZSnkE1d9YwT5mQ0nDfr1d/Lzp7G/7snHBSfwZ6Xquho0g2Xewr2ug0OyT3uqnZU4HTzbB8LOeSYBAOO9iVll6CHTWBIFS3WafnPGVHmf5BTkA9OP6v0AmOGepg4/3KwRKVXz90qh+XdK785ouA9pcCSyi+AfDpI8/4ucNgUBpLY2+NzFXergRfzPfcQDohw3AQ3GiXK2Ox0dxab9DYG3Zf7XZpPLAcZYnowNAv1wN5yUm6S6xzV/WrxAo9cOVT48E02aATv7a8Cvg9cQQpNf/sbLDHiSeNX7MNFQfBEoUrXhgb62vfHwUX5CeHt1UGdDGEqCIYilDZGU9ZHzv/ZhpqDoEjim7KYxLgJ66Nf/Q7OOjeER6OpiXmlhTsW3vAvT6nyOr6nOWa5WGwOXm8LUxf6wJAopeulnGMrrFdbxWzV8fSH8WSVhhy4DTmygD2hgAivf5uEz33ZEd3JP8BRjde3FVCBxtnpzI2Uzlk2zKUIYygu05iLPZ1UxN+tUPvy/r0z3S21F0D+wUMa2wBXgoFkjfdrYs+cG+vUfENLRhFQgUUXzT2PWTm7blnWqeT2P2mRgxVennd5EnFjTYGbzt/QGi3sE/tiIE9NbwKzkZDDbq4EZlG0HJAEnxI8PoQbFJyDHIAOM86xuliqpfhqHy6zeX9etC6fEhTauv3qYAKKJ4k00AGMwrZljBipskE30+11sQWBy7/NFMeZZdzeVu4PQ1nFGMYrhxGAn+NoFnIzt7kuY/37B5r4jht4jiFYHkJrzZ4HiANt8CPBQ3ypRPlakM8xfdLyvwIyxH8b+JEAjYv4jBQE5W+dbM4maeZxWrWcMqlrCAWRJa1kEOGMyiyJ1ektlnOR+VHjxgzvxBHOVB8uSNTdoE2lQC+FaA9aVl2vZ0+cscMcKEdoFQF9DT/0srrm888yKxwiGtYR7jrCfnG+YlnfvXWKeT/4ycTjyxVAbB7b6TAPWfAHrFqTPHc0aY6jX2FptK8oYXJQowOBTaEAi08oB135eJ8SKhH0WTirLI2dbTv0HhVTD7+FbA/EjeifXuOZnkT8SC2hwAatQAnhGhPS6SFM5Dca0w5PNma0iCgOIVhhl74X3G078UURPtiH7Fb9lIvjGcV1EVrH66f1PLRH2QxmKsbCh/booW0JZbgIfipyKQZ1iiVG8Ah8tfbEOMh+IKCwKPodhHntuQx1H0VnQKs1NhLGaIfGs/E+NX7uvniY9SHphe1r9jI/1zW0CdWQJmy156udnTNaO62ULOBq9ZymHJBJZrhm3BySat1R0Ssauq+gMoeepWkxDrFLZIZL+WAC9L6rpRrLaAVRCNpAs4pcGZAdpcB5gievZDVk4i38pUOjly3LPXJVYcvzbuFFJ46YTZfU42JqZkV8/gTbtLtPATsR4+KD38rNMB6h9SD1tJvo93rJ20gOJiWV+nRtZXHAKBO/eWrErtoBGYjpfxYSBjbAPlnr76l04WUX+lpQVoJXUoAKPpcZFB9d4C/lMMKttbSWL0tM+Qab8htsPGIaANvxfE0sz0PZkFFGdazuXJjt4eimukJ7MtKOo3bAfAEN5qwq1gGwLAR/E4WTLAgWU6+36yOh8vO2eHELhIhPAw3ogYkdJsPnp/30DecEki+6Oi/qCyPu4vAHyyCa4hbQqAO6VXUR1b0SPxexuxLOGQFdzK3SLKW+0WefuQlxMFstzJsyS+ijpx/ljrCQ2NI+TbdzsA1HsIvEHEq61JF1Esl8TsW1fYX/VQv2XZEAs1J4kqyKXOIOC0Cm8oofiADwPwId6PbVOzBIDzmnAQbFMAXC4s/F4sif1S6cnuFeJv9Nr8N9Hj76vDHFsytw3ReilJ2sJYOZC+ZV1WFVCcIb2/ygGgHrLTxZ5jJVotovizJITbt6pRZ3+x6y+pwxZXigBtSsXfUZTYXaZ9qTXtBRTfl95f0uA0sW0MgAtkCn8Uq2PylGjn1Rij2AuADYyPfu2nkHcYAsDeFUasP5ksQHs+JgHOk95f6ABQLwAulCk8LwaApwUAB1QFQFDD44W6JUBwDN236u8E0/5iTAKc06RE0W0MgOBS9azYFrBELmwnV1yZJRSfL7Mi1n4Vpbeaf60AIX3tM0EkzesxCfA/0vufOB2gXiXwZ3IKiFcyClbm2ArmnTCWIA9cWxcDPBQ3ix5/YgV7vj6Sbi25xVZap4DgFFL/7zsAoPi1MGBGzA7wAZsDsBkfJPQksOb/WFbgrJrds4Or4VNjziilhGlfycaSQHpNzA4Q5Du/1QGgXkNQYGX7siWCbbHblZCDN8zU+zv59o415+kLXLx3kDf8oczXONwm/iLTuVfEibSI4kuRLcgBoA4t/CXZ6+3ylHpyD5ET+j2xybWTuk40Fc5+V1O4dvCGO8XcDLtViCn0UCyUmftaTEoVxQk1ejx0AKhpSN2MFFH/fmx/DYws5yeUuLGze+jLoC8aY3DaFDFFcSXJCgR2SaxQFpz2BwE/iJXb6uZDZX13AKhxSEUxstgegVH1bFrEHTNc/TsZJw59m3dPohCvJPwLkqc4a8pVlkcWBzD5ilXZxL4O/qtM8x4uUeTa+AR/Tab/5tj0viZXMFuKGmhH+C5jvGH/SNkqRrMqRbHZ8B2vMlw2kM0qQEA/u4qPisfCP2MQnS/fOrIpfsFtCYACih+KqD8jJmAVnxIG/d6qy6nZP86EeM7iZTa0nEfTZAgpoFjNLibG4FVOrlCkzhdFs0NshaXIJjUncZNyAKjxHBBULz+wLNLnu2U+QXH26wjfy02+z8PEwFSqUm62gKKbyUCOLHAFCsVxFTORn2KZqqKRRAdIz3/XlEQRbesWrotXw6a8a4lYH8Vi2d9Hy/nbQ/FuGfs9CS3RMUGTpZZQIVYbvGQVpfwLOwA5chLwoTee8hQTJRSr2Uo8Ap+0YoPsfg9P9FhwAKjhNH6g9Oy2mOe9MuHcv5I4nXcZWxbfr6dhqmHpMOZKxuASHgXJFVww/sA/YpB5dooVV5ycjP5X0oPdI9GBHorb5C9TmhQg3qYAKKA4V4TsiZGQDk8cQ/NyJRRl/3Gmz3pd+nzRqkO+DefxStmv/Z2LxYtP1/z+HAWzqpMhoMV8PuYyFqa06gLObYoG0LbBoT6KJ+UotpXR94P+vM1IUQQfZg07GPYfb56wi82eYqqE6Kubffg2V7CABVzFaRwodQEDJ9CTze8n5xoaj8ej8usjeTsStxxsDUS2BgeAOrcAZfKD3lG2zk6VFTiZ3YzaFmV/tAD2JyMgKE8PkZVis/Mj7C+HQA7Yy1Q3P7VMNt0hPd4lMg4HgDqjgwLPmmjxtSKKv7GhCd/oSFz9oZq3Roy7gWkoS54u8kJZ6y93oliTED1YXo8gCwyV2CRlxS0fLj3+flOiglQ7p4gponhefneIWNVL1qn/TGOuzQInlLHfPt0/xDADl5Flox9poog24eFUaai1kfiMyPrX6SGGRJzRlAPA2mwCvtyrBZkAvAhTn5OCzn2z/9FIYrfV/J6fci5zmMM5XMMDrOFqK9fQY6lKVUIHz0eetC0UX6wpGsEBoIpfwJ2yNje3rAEeircZbxK7pGF/GOKZTFfHIosrQ+A4s+lMtEpVapf1j0hvFzUtRVSbZwotoZgoCtfZwhYPxTuMMWyojf0eRXw8CkIevpSGrQ0CWVH1Autg4AmYByY0NWV826eKvUn6tylvirvH24wxB79a2R+1AaqIBl8rBLRdYKXp1Ujp6Q0uVWz/HgYnyMqaieoX9if7+NcPAW0ami293LmuovUOAFX8c243/j1P8T6f7Gf21wsB2zTUyzPmJLGwySUj2r5kTBHF52R17coEY/bpP/avHQRywJ7sKT2c0kT9f70AgLbKPUsuZvY5sV/Zv3YQ6DCrP8szlo+CA0A/bgM/NDk7+mZ/vXX84hDIpYZAlgwZOam4qmH9rgYWjCOYNvvMTM3+K2qs4xdC4PKaIKBNQzoWsdBUFXA9OAXoc39o9jkpBfs1Qy5HUTQuIOmSRJXkGzrXl/YsTgeBLDDBMg05JbAf2b+jmeKTUq1+fbUzkeskPVyRguUcbjPHTkHvC+sVvVzPbnJJlKtJF6itVKUDQCr2h+f+k1IL/6y54D2Xl6yxaNufT1HIF7tgOGkvc665PM7WqAt0rgMINBQAwTEsDoBSy7K/E8ixvejxOZmWKVzI0/RU/c0enmYunxWn85ycIbYjl/JEcGzMOugNdH8A21s2uJadhG9qcZdalP1a87+UUXI4y5uKAKP4MqdzDXfxOEt4lVdZwh+5i2s4ja+wlakm0CUHu1FcUtOhMITALk2EQIMAUIq4Rb4hANjbOGw1LualP9ivUHRzGWNkfJ3SfwwY8gxikHEHwbA+KCAxhkvprvmmcMY6gEBDAGC7U/2W0zlYJmozZnChydHbGAgEv/x23ez35H5P4bOIaeKmHZSHyRvvvyCdZD5SRmY407hdvu/VfFMYh0DjjUINAoDu+ltMtZ4Kpm0oF1lbRCPiAhXLLPafXIfZR5kU8Iq3uIlj2N5sBsktz/Ycw428ZbwR7PdcXYc6OKGGNLUttwUUUbzHWCBLl/lahrxM47kNK4qk37hfHey/Mhajoy+UfcPQF/k15zCDL7AnY9mO7RjLnnyBGZzDr3nJAMa3CkHFk9HXBoGpA3cL8MWdOl/haXi6IW7Pod9/LjX7tUi/FEWv5c+rLG89r6ynHr30lnnt+FJNJF6izqcXxSU1mYb0NdHlDXcObQgAiihWGN/7r3E3d3M3d3Ev17N1Qg7P/lUAV/Nx6dMxxt2q2urXodwTuEdY60csf3YImI4IKsXsHPrTYoVqIoE+cTcTxBjdV51CJcliO4FtJKNpaWABIKiEq3NkRF92n9x87duQgfko7jKB3T1lgd02+zcsM/tMY0kiCGxLfzKpsmQz2jaomf8c0xJMQ5Ug4KPoZlSFTCYDBgBBdO6RIlp9fAooXhdTyW4NUG9KJln7ICtFXGX2dwKdTBQlLgN0cQLPm82kWLOqaksL/a0XOZEu0X90ZcHOPk8EBfEQDkdRGrgAOMJKslJE8aqUStmtAacArQEcJxO8MOZbl8R+rflfLPm68lJN7Gs8ZA3dT1zlyYy3bwQUD/MfAve8JIS7ONWhMKht2ikBK95ABsBXrTwXOkNHIwEQFF3KAbdHMmyE7F8cY7+OFJou55TA5LMHF7G07BagmLgBFMtuBF7hEiYZ85A+AE/nbzLiviBgp5Ca0eA8IesQAI3aAoIMGxdEqoBWYr9nTvyPGKtFwLJB7Mc5PMz7FZzNynv/AYs5nwMkHWUIp6kiU7w+vIbCfp4nW8AZA30LaCYAlBGeOeNfH6pzvRXYr3umFa37+ZJR1ELz7xZ8gdO5nkf4Bx/EDn8eq/knj3EjZ/AlPmYZhoJUU1/iAZmVYplpKIRAr6U6KhTjZBS3NDhIpM0kgD6AbiZ9OlNYFBzeHk1kf8lU7NJDf5rZksBJw8A2/G7ARxjHZKbweT7PFPZmPFswOPJMaPj6KLN52gCsWhzBoybxhGb/f8kIPixpZJ0EqEkN/K5h8zd5z/zlWoZUdPUMQaAZ8B43MU3y9elbwa6yq5/49VCXFTw+gkO5iZUyG37MQlAOgSFcayZ+GTPN52cNTEPQugOA/o3V7GA0749wJHM4SYo7V/P0DUEQiNx3uZWvs5uUcSNyr5E1uQDtNoTdOYWFvGs2CD8h0CMJArAjx/NtDpdo4zywk9QPVg4Atd4FLpFtoDOSxkFD4qdVo3zCNBKh+eVN7uXHHM8UxjCSDeRGUN8EbsBIxjCF4/kxd/OPiFm4VKXcbACBa4TdduoJ7YryMZY24T6w7SRA4A2w1BzDcuQlew9sLpG3fZ3qQzNuVAEr0M0bLOEpFrOYp1jCG3THijp4sRuBapYDH8XtklIyQyd5M8Wf5vWmOIm3IQBKRm/+GXuY66gMozmDd2ry8w/ten7CLUBc9ygYO4FKmVs4kAJvM4etzYaSZ09+Yc40JQeA+iDgGyfNRVzPzTwlHr5eHY6ppcg9QOAMGjiHlhL9hdNPvic+hU8wn+u4nZcto9YAdQlbtwCwD1ulmHAuNjnsIl1Pi7GNphQ5oDoA1D2w0EzrWZnBVYtRyaS08Yz+UGpi/ESbAsCRA4AjBwBHDgCOHAAcOQA4Wh88ghyt5z6BjlrUK7jH1NdorFewoxYCQFAUYdfYywJg7NdiRlkHgH4ODl3JhwQC07iVhSxkIbdxNaPE2eGbTcuI72gdAMA3RdAziU938JcmlURxtA4AoF/ygUTD6bQJGevfcGHTEyI6avIW4KNYzpcT8gMM4wqTENUBoE0BELpkPMhZ/Lv4027OLH5i1cp17G/bLSCaI+hNCbL4tHGYdOxvcwBEs4QtiWQJc8J/vQBA8NV1kSfQUcsAYF1nC3fkAODIAcCRA4AjBwBHDgCOHAAcOQA4WlcAmGSSKzlqFdLcaBIAJrsV16I0qTkA+BTdrOI9VjlqGdLc2L2xAHhJAJBjE0ctSTnJi9ggALxA3hRwdq01WxbI82JjALCcjdwMD4C2MSv6HwD6Qng+2zOabRjtqCVpG0azAwuMr1Y/AkCZSj5r6HHUsrSmSqDOWkoA5RzABwj5FQx1aykBqlXacNRapCpwcC23AEcD3VzsAOAA4ADgAOAA4ADgAOAAUAEAx8VqdDlqH/aH1dhyle3IYyOHCUftxH7tNzC22n1OBliAosedpduQelDMt+K7KwBgJM+KPclz1DakrYPPMrI6ALRwGMENseoZjgY+FbiBTdNc5+sHtmU6s5jtqC1oFtPZ1uJuHy1TXUi4NkBbTXzN0EGuJuqsiXKOmjqDHW5Ru9ZQP7QDuZ15/DIF3cR85rFlX9roeiacYRTzmM9NqeZwHrdxQOv4Z+aAr9eok+7s3EtjS2hCjTM4u7JFb10A4AQrl3B1KuDTwzgHgBgAxtMjdQ37ph4Ux7cWAGamThmrC0I6AMQBsFPqlJvapn+CA4ADgAOAA4ADgANASwDgRAcAJwG81E7LBcY7AMQAsDOF1I73LQiA41EUKKYgfTG5vTMExQxBY+QSPs0cFlDMkJotLdL9j7G0BiPGrY7nCe22GmbwZbZopSWUATbjYA5JQYcxVcpNuBZtnRzEYSlm8FAO5kOtJkGdOF/vZzxDR2pyLbmln0G34FxzzTXXXHPNNddcc80111xzzTXXXHPNNddcc821VO3/AaWumVCGHhHyAAAAAElFTkSuQmCC + mediatype: image/png + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - '' + resources: + - events + verbs: + - create + - get + - list + - patch + - watch + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - '' + resources: + - serviceaccounts/token + verbs: + - create + - get + - list + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - authenginemounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - authenginemounts/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - authenginemounts/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - databasesecretengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - databasesecretengineconfigs + - randomsecrets + verbs: + - get + - list + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - databasesecretengineconfigs/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - databasesecretengineconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - databasesecretengineroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - databasesecretengineroles/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - databasesecretengineroles/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - databasesecretenginestaticroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - databasesecretenginestaticroles/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - databasesecretenginestaticroles/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - githubsecretengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - githubsecretengineconfigs/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - githubsecretengineconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - githubsecretengineroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - githubsecretengineroles/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - githubsecretengineroles/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - groupaliases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - groupaliases/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - groupaliases/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - groups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - groups/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - groups/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - jwtoidcauthengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - jwtoidcauthengineconfigs/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - jwtoidcauthengineconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - jwtoidcauthengineroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - jwtoidcauthengineroles/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - jwtoidcauthengineroles/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetesauthengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetesauthengineconfigs/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetesauthengineconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetesauthengineroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetesauthengineroles/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetesauthengineroles/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetessecretengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetessecretengineconfigs/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetessecretengineconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetessecretengineroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetessecretengineroles/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - kubernetessecretengineroles/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - ldapauthengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - ldapauthengineconfigs/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - ldapauthengineconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - ldapauthenginegroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - ldapauthenginegroups/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - ldapauthenginegroups/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - passwordpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - passwordpolicies/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - passwordpolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - pkisecretengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - pkisecretengineconfigs/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - pkisecretengineconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - pkisecretengineroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - pkisecretengineroles/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - pkisecretengineroles/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - policies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - policies/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - policies/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - quaysecretengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - quaysecretengineconfigs/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - quaysecretengineconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - quaysecretengineroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - quaysecretengineroles/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - quaysecretengineroles/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - quaysecretenginestaticroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - quaysecretenginestaticroles/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - quaysecretenginestaticroles/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - rabbitmqsecretengineconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - rabbitmqsecretengineconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - rabbitmqsecretengineroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - rabbitmqsecretengineroles/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - rabbitmqsecretengineroles/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - randomsecrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - randomsecrets/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - randomsecrets/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - secretenginemounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - secretenginemounts/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - secretenginemounts/status + verbs: + - get + - patch + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - vaultsecrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - vaultsecrets/finalizers + verbs: + - update + - apiGroups: + - redhatcop.redhat.io + resources: + - vaultsecrets/status + verbs: + - get + - patch + - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + serviceAccountName: controller-manager + deployments: + - label: + control-plane: vault-config-operator + name: vault-config-operator-controller-manager + spec: + replicas: 1 + selector: + matchLabels: + control-plane: vault-config-operator + strategy: {} + template: + metadata: + labels: + control-plane: vault-config-operator + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + - --tls-cert-file=/etc/certs/tls/tls.crt + - --tls-private-key-file=/etc/certs/tls/tls.key + image: quay.io/redhat-cop/kube-rbac-proxy@sha256:c68135620167c41e3d9f6c1d2ca1eb8fa24312b86186d09b8010656b9d25fb47 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /etc/certs/tls + name: tls-cert + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + image: quay.io/redhat-cop/vault-config-operator@sha256:05ac28c0eaf47e9d4f6e343d68ffbd0b2459c475525c217f6b18ed20a176a596 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 200m + memory: 250Mi + requests: + cpu: 100m + memory: 250Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: tls-cert + secret: + defaultMode: 420 + secretName: vault-config-operator-certs + permissions: + - rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + serviceAccountName: controller-manager + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - security + - secrets + - gitops + - policy + - credentials + links: + - name: Vault Config Operator + url: https://github.com/redhat-cop/vault-config-operator + - name: Container Image + url: https://quay.io/redhat-cop/vault-config-operator + maintainers: + - email: rspazzol@redhat.com + name: Raffaele Spazzoli + maturity: alpha + provider: + name: Red Hat Community of Practice + version: 0.8.25 + webhookdefinitions: + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mauthenginemount.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - authenginemounts + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-authenginemount + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mdatabasesecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - databasesecretengineconfigs + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-databasesecretengineconfig + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mdatabasesecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - databasesecretengineroles + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-databasesecretenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mdatabasesecretenginestaticrole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - databasesecretenginestaticroles + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-databasesecretenginestaticrole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mgithubsecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - githubsecretengineconfigs + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-githubsecretengineconfig + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mgithubsecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - githubsecretengineroles + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-githubsecretenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mgroup.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - groups + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-group + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mgroupalias.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - groupalias + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-groupalias + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mjwtoidcauthengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - jwtoidcauthengineconfigs + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-jwtoidcauthengineconfig + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mjwtoidcauthenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - jwtoidcauthengineroles + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-jwtoidcauthenginerole + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mkubernetesauthengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - kubernetesauthengineconfigs + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-kubernetesauthengineconfig + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mkubernetesauthenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - kubernetesauthengineroles + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-kubernetesauthenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mkubernetessecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - kubernetessecretengineconfigs + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-kubernetessecretengineconfig + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mkubernetessecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - kubernetessecretengineroles + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-kubernetessecretenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mldapauthengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - ldapauthengineconfigs + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-ldapauthengineconfig + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mldapauthenginegroup.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - ldapauthenginegroups + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-ldapauthenginegroup + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mpasswordpolicy.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - passwordpolicies + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-passwordpolicy + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mpkisecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - pkisecretengineconfigs + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-pkisecretengineconfig + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mpkisecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - pkisecretengineroles + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-pkisecretenginerole + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mpolicy.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - policies + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-policy + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mquaysecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - quaysecretengineconfigs + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-quaysecretengineconfig + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mquaysecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - quaysecretengineroles + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-quaysecretenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mquaysecretenginestaticrole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - quaysecretenginestaticroles + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-quaysecretenginestaticrole + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mrabbitmqsecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - rabbitmqsecretengineroles + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-rabbitmqsecretenginerole + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mrandomsecret.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - randomsecrets + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-randomsecret + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: msecretenginemount.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - secretenginemounts + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-secretenginemount + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: mvaultsecret.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - vaultsecrets + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-redhatcop-redhat-io-v1alpha1-vaultsecret + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vauthenginemount.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - authenginemounts + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-authenginemount + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vdatabasesecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - databasesecretengineconfigs + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-databasesecretengineconfig + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vdatabasesecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - databasesecretengineroles + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-databasesecretenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vdatabasesecretenginestaticrole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - databasesecretenginestaticroles + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-databasesecretenginestaticrole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vgithubsecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - githubsecretengineconfigs + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-githubsecretengineconfig + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vgithubsecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - githubsecretengineroles + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-githubsecretenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vgroup.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - groups + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-group + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vgroupalias.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - groupalias + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-groupalias + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vjwtoidcauthengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - jwtoidcauthengineconfigs + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-jwtoidcauthengineconfig + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vjwtoidcauthenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - jwtoidcauthengineroles + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-jwtoidcauthenginerole + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vkubernetesauthengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - kubernetesauthengineconfigs + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-kubernetesauthengineconfig + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vkubernetesauthenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - kubernetesauthengineroles + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-kubernetesauthenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vkubernetessecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - kubernetessecretengineconfigs + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-kubernetessecretengineconfig + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vkubernetessecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - kubernetessecretengineroles + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-kubernetessecretenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vldapauthengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - ldapauthengineconfigs + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-ldapauthengineconfig + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vldapauthenginegroup.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - ldapauthenginegroups + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-ldapauthenginegroup + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vpkisecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - pkisecretengineconfigs + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-pkisecretengineconfig + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vpkisecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - pkisecretengineroles + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-pkisecretenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vquaysecretengineconfig.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - quaysecretengineconfigs + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-quaysecretengineconfig + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vquaysecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - quaysecretengineroles + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-quaysecretenginerole + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vquaysecretenginestaticrole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - quaysecretenginestaticroles + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-quaysecretenginestaticrole + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vrabbitmqsecretenginerole.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - rabbitmqsecretengineroles + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-rabbitmqsecretenginerole + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vrandomsecret.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - randomsecrets + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-randomsecret + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vsecretenginemount.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - UPDATE + resources: + - secretenginemounts + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-secretenginemount + - admissionReviewVersions: + - v1 + - v1beta1 + containerPort: 443 + deploymentName: vault-config-operator-controller-manager + failurePolicy: Fail + generateName: vvaultsecret.kb.io + rules: + - apiGroups: + - redhatcop.redhat.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - vaultsecrets + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-redhatcop-redhat-io-v1alpha1-vaultsecret + relatedImages: + - name: quay.io/redhat-cop/kube-rbac-proxy + image: quay.io/redhat-cop/kube-rbac-proxy@sha256:c68135620167c41e3d9f6c1d2ca1eb8fa24312b86186d09b8010656b9d25fb47 + - name: quay.io/redhat-cop/vault-config-operator + image: quay.io/redhat-cop/vault-config-operator@sha256:05ac28c0eaf47e9d4f6e343d68ffbd0b2459c475525c217f6b18ed20a176a596 diff --git a/operators/vault-config-operator/0.8.25/metadata/annotations.yaml b/operators/vault-config-operator/0.8.25/metadata/annotations.yaml new file mode 100644 index 00000000000..fd1efbaf405 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/metadata/annotations.yaml @@ -0,0 +1,15 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: vault-config-operator + operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.bundle.channel.default.v1: alpha + operators.operatorframework.io.metrics.builder: operator-sdk-v1.25.3 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/vault-config-operator/0.8.25/tests/scorecard/config.yaml b/operators/vault-config-operator/0.8.25/tests/scorecard/config.yaml new file mode 100644 index 00000000000..566572f7cf9 --- /dev/null +++ b/operators/vault-config-operator/0.8.25/tests/scorecard/config.yaml @@ -0,0 +1,70 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.13.0 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.13.0 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.13.0 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.13.0 + labels: + suite: olm + test: olm-crds-have-resources-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.13.0 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.13.0 + labels: + suite: olm + test: olm-status-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}