venafi-connection API referencePreview
Resource Types:
VenafiConnection
VenafiConnection is the Schema for the VenafiConnection API
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | jetstack.io/v1alpha1 | true |
| kind | string | VenafiConnection | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false | |
| status | object | false |
VenafiConnection.spec
| Name | Type | Description | Required |
|---|---|---|---|
| tpp | object | false | |
| vaas | object | false |
VenafiConnection.spec.tpp
| Name | Type | Description | Required |
|---|---|---|---|
| url | string | The URL to connect to the Venafi TPP instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by venafi-connection-lib. | true |
| accessToken | []object | The list of steps to retrieve a TPP access token. | false |
VenafiConnection.spec.tpp.accessToken[index]
| Name | Type | Description | Required |
|---|---|---|---|
| hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
| hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
| secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
| serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
| tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultOAuth
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
|---|---|---|---|
| authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
| authPath | string | The login URL used for obtaining the Vault token. Example: "https://vault:8200/v1/auth/oidc/login". | true |
| role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
| clientId | string | ClientID is the clientId used to authenticate with Hashicorp Vault. Default: cert-manager.io | false |
| url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultSecret
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
| fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step.
Example 1 (TPP, username and password): imagining that you have stored the username and password for TPP under the keys "username" and "password", you will want to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
| secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
| url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.tpp.accessToken[index].secret
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
| fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
| name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.tpp.accessToken[index].serviceAccountToken
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
| audiences | []string | Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
| name | string | The name of the Kubernetes service account. | true |
| expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.tpp.accessToken[index].tppOAuth
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
|---|---|---|---|
| authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT". Enum: UsernamePassword, JWT | true |
| clientId | string | ClientID is the clientId used to authenticate with TPP. Default: cert-manager.io | false |
| url | string | The URL to connect to the Venafi TPP instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. | false |
VenafiConnection.spec.vaas
| Name | Type | Description | Required |
|---|---|---|---|
| apiKey | []object | The list of steps to retrieve the API key that will be used to connect to Vaas. | false |
| url | string | The URL to connect to the Venafi VaaS instance. If not set, the default value https://api.venafi.cloud/v1/ is used. | false |
VenafiConnection.spec.vaas.apiKey[index]
| Name | Type | Description | Required |
|---|---|---|---|
| hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
| hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
| secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
| serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
| tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultOAuth
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
|---|---|---|---|
| authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
| authPath | string | The login URL used for obtaining the Vault token. Example: "https://vault:8200/v1/auth/oidc/login". | true |
| role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
| clientId | string | ClientID is the clientId used to authenticate with Hashicorp Vault. Default: cert-manager.io | false |
| url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultSecret
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
| fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step.
Example 1 (TPP, username and password): imagining that you have stored the username and password for TPP under the keys "username" and "password", you will want to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
| secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
| url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.apiKey[index].secret
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
| fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
| name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.vaas.apiKey[index].serviceAccountToken
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
| audiences | []string | Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
| name | string | The name of the Kubernetes service account. | true |
| expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.vaas.apiKey[index].tppOAuth
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
|---|---|---|---|
| authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT". Enum: UsernamePassword, JWT | true |
| clientId | string | ClientID is the clientId used to authenticate with TPP. Default: cert-manager.io | false |
| url | string | The URL to connect to the Venafi TPP instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. | false |
VenafiConnection.status
| Name | Type | Description | Required |
|---|---|---|---|
| conditions | []object | List of status conditions to indicate the status of a VenafiConnection. | false |
VenafiConnection.status.conditions[index]
ConnectionCondition contains condition information for a VenafiConnection.
| Name | Type | Description | Required |
|---|---|---|---|
| status | string | Status of the condition, one of (True, False, Unknown). | true |
| type | string | Type of the condition, should be a combination of the unique name of the operator and the type of condition. eg. VenafiEnhancedIssuerReady | true |
| lastTransitionTime | string | LastTransitionTime is the timestamp corresponding to the last status change of this condition. Format: date-time | false |
| message | string | Message is a human readable description of the details of the last transition, complementing reason. | false |
| observedGeneration | integer | If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. Format: int64 | false |
| reason | string | Reason is a brief machine readable explanation for the condition's last transition. | false |
| tokenValidUntil | string | The ValidUntil time of the token used to authenticate with the Venafi Control Plane server. Format: date-time | false |