2 - Using templates for injecting dynamic configuration
Background
When configuring a Vault
object via the externalConfig
property, sometimes it’s convenient (or necessary) to inject settings that are only known at runtime, for example:
- secrets that you don’t want to store in source control
- dynamic resources managed elsewhere
- computations based on multiple values (string or arithmetic operations).
For these cases, the operator supports parameterized templating. The vault-configurer
component evaluates the templates and injects the rendered configuration into Vault.
This templating is based on Go templates, extended by Sprig, with some custom functions available specifically for bank-vaults (for example, to decrypt strings using the AWS Key Management Service or the Cloud Key Management Service of the Google Cloud Platform).
Using templates
To avoid confusion and potential parsing errors (and interference with other templating tools like Helm), the templates don’t use the default delimiters that Go templates use ({{
and }}
). Instead, use the following characters:
- ${ for the left delimiter
- } for the right one.
- To quote parameters being passed to functions, surround them with backticks (`) instead.
For example, to call the env
function, you can use this in your manifest:
password: "${ env `MY_ENVIRONMENT_VARIABLE` }"
In this case, vault-configurer
evaluates the value of MY_ENVIRONMENT_VARIABLE
at runtime (assuming it was properly injected), and sets the result as the value of the password
field.
Note that you can also use Sprig functions and custom Kubernetes-related functions in your templates.
Sprig functions
In addition to the default functions in Go templates, you can also use Sprig functions in your configuration.
CAUTION:
Use only functions that return a string, otherwise the generated configuration is invalid.
Custom functions
To provide functionality that’s more Kubernetes-friendly and cloud-native, bank-vaults provides a few additional functions not available in Sprig or Go. The functions and their parameters (in the order they should go in the function) are documented below.
awskms
Takes a base64-encoded, KMS-encrypted string and returns the decrypted string. Additionally, the function takes an optional second parameter for any encryption context that might be required for decrypting. If any encryption context is required, the function will take any number of additional parameters, each of which should be a key-value pair (separated by a =
character), corresponding to the full context.
Note: This function assumes that the vault-configurer
pod has the appropriate AWS IAM credentials and permissions to decrypt the given string. You can inject the AWS IAM credentials by using Kubernetes secrets as environment variables, an EC2 instance role, kube2iam, or EKS IAM roles, and so on.
Parameter | Type | Required |
encodedString | Base64-encoded string | Yes |
encryptionContext | Variadic list of strings | No |
For example:
password: '${ awskms (env `ENCRYPTED_DB_CREDS`) }'
You can also nest functions in the template, for example:
password: '${ awskms (blob `s3://bank-vaults/encrypted/db-creds?region=eu-west-1`) }'
gcpkms
Takes a base64-encoded string, encrypted with a Google Cloud Platform (GCP) symmetric key and returns the decrypted string.
Note: This function assumes that the vault-configurer
pod has the appropriate GCP IAM credentials and permissions to decrypt the given string. You can inject the GCP IAM credentials by using Kubernetes secrets as environment variables, or they can be acquired via a service account authentication, and so on.
Parameter | Type | Required |
encodedString | Base64-encoded string | Yes |
projectId | String | Yes |
location | String | Yes |
keyRing | String | Yes |
key | String | Yes |
blob
Reads the content of a blob from disk (file) or from cloud blob storage services (object storage) at the given URL and returns it. This assumes that the path exists, and is readable by vault-configurer
.
Valid values for the URL parameters are listed below, for more fine grained options check the documentation of the underlying library:
file:///path/to/dir/file
s3://my-bucket/object?region=us-west-1
gs://my-bucket/object
azblob://my-container/blob
Note: This function assumes that the vault-configurer
pod has the appropriate rights to access the given cloud service. For details, see the awskms and gcpkms functions.
Parameter | Type | Required |
url | String | Yes |
For example:
password: '${ blob `s3://bank-vaults/encrypted/db-creds?region=eu-west-1` }'
You can also nest functions in the template, for example:
password: '${ awskms (blob `s3://bank-vaults/encrypted/db-creds?region=eu-west-1`) }'
file
Reads the content of a file from disk at the given path and returns it. This assumes that the file exists, it’s mounted, and readable by vault-configurer
.
Parameter | Type | Required |
path | String | Yes |
accessor
Looks up the accessor id of the given auth path and returns it. This function is only useful in policies that use templated policies, to generalize the <mount accessor>
field.
Parameter | Type | Required |
path | String | Yes |
For example:
policies:
- name: allow_secrets
rules: path "secret/data/{{identity.entity.aliases.${ accessor `kubernetes/` }.metadata.service_account_namespace}}/*" {
capabilities = ["read"]
}
6 - TLS
Bank-Vaults tries to automate as much as possible for handling TLS certificates.
- The
vault-operator
automates the creation and renewal of TLS certificates for Vault. - The
vault
Helm Chart automates only the creation of TLS certificates for Vault via Sprig.
Both the operator and the chart generate a Kubernetes Secret holding the TLS certificates, this is named ${VAULT_CR_NAME}-tls
. For most examples in the vault-operator repository, the name of the secret is vault-tls
.
The Secret data keys are:
ca.crt
ca.key
server.crt
server.key
Note: The operator doesn’t overwrite this Secret if it already exists, so you can provide this certificate in any other way, for example using cert-manager or by simply placing it there manually.
Operator custom TLS settings
The following attributes influence the TLS settings of the operator. The ca.crt
key is mandatory in existingTlsSecretName, otherwise the Bank-Vaults components can’t verify the Vault server certificate.
CANamespaces
The list of namespaces where the generated CA certificate for Vault should be distributed. Use ["*"] for all namespaces.
Default value: []
ExistingTLSSecretName
The name of the secret that contains a TLS server certificate, key, and the corresponding CA certificate. The secret must be in the kubernetes.io/tls type secret keys + ca.crt key format. If the attribute is set, the operator uses the certificate already set in the secret, otherwise it generates a new one.
The ca.crt
key is mandatory, otherwise the Bank-Vaults components can’t verify the Vault server certificate.
Default value: ""
TLSAdditionalHosts
A list hostnames or IP addresses to add to the SAN on the automatically generated TLS certificate.
Default value: []
TLSExpiryThreshold
The expiration threshold of the Vault TLS certificate in Go Duration format.
Default value: 168h
Helm chart custom TLS settings
Starting with version 1.20, the Vault Helm chart allows you to set custom TLS settings. The following attributes influence the TLS settings of the Helm chart. The ca.crt
key is mandatory in secretName, otherwise the Bank-Vaults components can’t verify the Vault server certificate.
SecretName
The name of the secret that contains a TLS server certificate, key, and the corresponding CA certificate. The secret must be in the kubernetes.io/tls type secret keys + ca.crt key format. If the attribute is set, the operator uses the certificate already set in the secret, otherwise it generates a new one.
The ca.crt
key is mandatory, otherwise the Bank-Vaults components can’t verify the Vault server certificate.
Default value: ""
CANamespaces
The list of namespaces where the generated CA certificate for Vault should be distributed.
Default value: []
Using the generated custom TLS certificate with vault-operator
To use an existing secret which contains the TLS certificate, define existingTlsSecretName in the Vault custom resource.
Generate custom certificates with CFSSL
If you don’t want to use the certificates generated by Helm or the Bank-Vaults operator, the easiest way to create a custom certificate for Bank-Vaults is using CFSSL.
The TLS directory in the documentation holds a set of custom CFSSL configurations which are prepared for the Helm release name vault
in the default
namespace. Of course, you can put any other certificates into the Secret below, this is just an example.
-
Install CFSSL.
-
Create a CA:
cfssl genkey -initca csr.json | cfssljson -bare ca
-
Create a server certificate:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json -profile=server server.json | cfssljson -bare server
-
Put these certificates (and the server key) into a Kubernetes Secret:
kubectl create secret generic vault-tls --from-file=ca.crt=ca.pem --from-file=server.crt=server.pem --from-file=server.key=server-key.pem
-
Install the Vault instance:
- With the chart which uses this certificate:
helm upgrade --install vault ../charts/vault --set tls.secretName=vault-tls
- With the operator, create a Vault custom resource, and apply it:
kubectl apply -f vault-cr.yaml
Generate custom certificates with cert-manager
You can use the following cert-manager custom resource to generate a certificate for Bank-Vaults.
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: test-selfsigned
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-cert
spec:
commonName: vault
usages:
- server auth
dnsNames:
- vault
- vault.default
- vault.default.svc
- vault.default.svc.cluster.local
ipAddresses:
- 127.0.0.1
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned
EOF
13 - API Reference
Packages
vault.banzaicloud.com/v1alpha1
Package v1alpha1 contains API Schema definitions for the vault.banzaicloud.com v1alpha1 API group
AWSUnsealConfig
AWSUnsealConfig holds the parameters for AWS KMS based unsealing
Appears in:
kmsKeyId
(string)
kmsRegion
(string)
kmsEncryptionContext
(string)
s3Bucket
(string)
s3Prefix
(string)
s3Region
(string)
s3SSE
(string)
AlibabaUnsealConfig
AlibabaUnsealConfig holds the parameters for Alibaba Cloud KMS based unsealing
–alibaba-kms-region eu-central-1 –alibaba-kms-key-id 9d8063eb-f9dc-421b-be80-15d195c9f148 –alibaba-oss-endpoint oss-eu-central-1.aliyuncs.com –alibaba-oss-bucket bank-vaults
Appears in:
kmsRegion
(string)
kmsKeyId
(string)
ossEndpoint
(string)
ossBucket
(string)
ossPrefix
(string)
AzureUnsealConfig
AzureUnsealConfig holds the parameters for Azure Key Vault based unsealing
Appears in:
keyVaultName
(string)
CredentialsConfig
CredentialsConfig configuration for a credentials file provided as a secret
Appears in:
env
(string)
path
(string)
secretName
(string)
EmbeddedObjectMetadata contains a subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Only fields which are relevant to embedded resources are included. controller-gen discards embedded ObjectMetadata type fields, so we have to overcome this.
Appears in:
name
(string)
Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
labels
(object (keys:string, values:string))
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
annotations
(object (keys:string, values:string))
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
EmbeddedPersistentVolumeClaim
EmbeddedPersistentVolumeClaim is an embeddable and controller-gen friendly version of k8s.io/api/core/v1.PersistentVolumeClaim. It contains TypeMeta and a reduced ObjectMeta.
Appears in:
Refer to Kubernetes API documentation for fields of metadata
.
Spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
EmbeddedPodSpec
EmbeddedPodSpec is a description of a pod, which allows containers to be missing, almost as k8s.io/api/core/v1.PodSpec.
Appears in:
volumes
(Volume array)
List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes
initContainers
(Container array)
List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
containers
(Container array)
List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.
List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod’s ephemeralcontainers subresource.
Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
terminationGracePeriodSeconds
(integer)
Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.
activeDeadlineSeconds
(integer)
Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.
Set DNS policy for the pod. Defaults to “ClusterFirst”. Valid values are ‘ClusterFirstWithHostNet’, ‘ClusterFirst’, ‘Default’ or ‘None’. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to ‘ClusterFirstWithHostNet’.
nodeSelector
(object (keys:string, values:string))
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node’s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
serviceAccountName
(string)
ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccount
(string)
DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.
automountServiceAccountToken
(boolean)
AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
nodeName
(string)
NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.
hostNetwork
(boolean)
Host networking requested for this pod. Use the host’s network namespace. If this option is set, the ports that will be used must be specified. Default to false.
hostPID
(boolean)
Use the host’s pid namespace. Optional: Default to false.
hostIPC
(boolean)
Use the host’s ipc namespace. Optional: Default to false.
shareProcessNamespace
(boolean)
Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.
SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.
ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
hostname
(string)
Specifies the hostname of the Pod If not specified, the pod’s hostname will be set to a system-defined value.
subdomain
(string)
If specified, the fully qualified Pod hostname will be “...svc.”. If not specified, the pod will not have a domainname at all.
If specified, the pod’s scheduling constraints
schedulerName
(string)
If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.
If specified, the pod’s tolerations.
hostAliases
(HostAlias array)
HostAliases is an optional list of hosts and IPs that will be injected into the pod’s hosts file if specified. This is only valid for non-hostNetwork pods.
priorityClassName
(string)
If specified, indicates the pod’s priority. “system-node-critical” and “system-cluster-critical” are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.
priority
(integer)
The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.
Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.
If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to “True” More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates
runtimeClassName
(string)
RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the “legacy” RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
enableServiceLinks
(boolean)
EnableServiceLinks indicates whether information about services should be injected into pod’s environment variables, matching the syntax of Docker links. Optional: Defaults to true.
PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed.
setHostnameAsFQDN
(boolean)
If true the pod’s hostname will be configured as the pod’s FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to FQDN. If a pod does not have FQDN, this has no effect. Default to false.
Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.
If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions
If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[].securityContext.seLinuxOptions - spec.containers[].securityContext.seccompProfile - spec.containers[].securityContext.capabilities - spec.containers[].securityContext.readOnlyRootFilesystem - spec.containers[].securityContext.privileged - spec.containers[].securityContext.allowPrivilegeEscalation - spec.containers[].securityContext.procMount - spec.containers[].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup
hostUsers
(boolean)
Use the host’s user namespace. Optional: Default to true. If set to true or not present, the pod will be run in the host user namespace, useful for when the pod needs a feature only available to the host user namespace, such as loading a kernel module with CAP_SYS_MODULE. When set to false, a new userns is created for the pod. Setting false is useful for mitigating container breakout vulnerabilities even allowing users to run their containers as root without actually having root privileges on the host. This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature.
SchedulingGates is an opaque list of values that if specified will block scheduling the pod. More info: https://git.k8s.io/enhancements/keps/sig-scheduling/3521-pod-scheduling-readiness.
This is an alpha-level feature enabled by PodSchedulingReadiness feature gate.
ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field is immutable.
GoogleUnsealConfig
GoogleUnsealConfig holds the parameters for Google KMS based unsealing
Appears in:
kmsKeyRing
(string)
kmsCryptoKey
(string)
kmsLocation
(string)
kmsProject
(string)
storageBucket
(string)
HSMUnsealConfig
HSMUnsealConfig holds the parameters for remote HSM based unsealing
Appears in:
daemon
(boolean)
modulePath
(string)
slotId
(integer)
tokenLabel
(string)
pin
(string)
keyLabel
(string)
Ingress
Ingress specification for the Vault cluster
Appears in:
annotations
(object (keys:string, values:string))
KubernetesUnsealConfig
KubernetesUnsealConfig holds the parameters for Kubernetes based unsealing
Appears in:
secretNamespace
(string)
secretName
(string)
Resources
Resources holds different container’s ResourceRequirements
Appears in:
UnsealConfig
UnsealConfig represents the UnsealConfig field of a VaultSpec Kubernetes object
Appears in:
UnsealOptions
UnsealOptions represents the common options to all unsealing backends
Appears in:
preFlightChecks
(boolean)
storeRootToken
(boolean)
secretThreshold
(integer)
secretShares
(integer)
Vault
Vault is the Schema for the vaults API
Appears in:
apiVersion
string vault.banzaicloud.com/v1alpha1
kind
string Vault
Refer to Kubernetes API documentation for fields of metadata
.
VaultList
VaultList contains a list of Vault
apiVersion
string vault.banzaicloud.com/v1alpha1
kind
string VaultList
Refer to Kubernetes API documentation for fields of metadata
.
items
(Vault array)
VaultSpec
VaultSpec defines the desired state of Vault
Appears in:
size
(integer)
Size defines the number of Vault instances in the cluster (>= 1 means HA) default: 1
image
(string)
Image specifies the Vault image to use for the Vault instances default: hashicorp/vault:latest
bankVaultsImage
(string)
BankVaultsImage specifies the Bank Vaults image to use for Vault unsealing and configuration default: ghcr.io/bank-vaults/bank-vaults:latest
bankVaultsVolumeMounts
(VolumeMount array)
BankVaultsVolumeMounts define some extra Kubernetes Volume mounts for the Bank Vaults Sidecar container. default:
statsdDisabled
(boolean)
StatsDDisabled specifies if StatsD based metrics should be disabled default: false
statsdImage
(string)
StatsDImage specifices the StatsD image to use for Vault metrics exportation default: prom/statsd-exporter:latest
statsdConfig
(string)
StatsdConfig specifices the StatsD mapping configuration default:
fluentdEnabled
(boolean)
FluentDEnabled specifies if FluentD based log exportation should be enabled default: false
fluentdImage
(string)
FluentDImage specifices the FluentD image to use for Vault log exportation default: fluent/fluentd:edge
fluentdConfLocation
(string)
FluentDConfLocation is the location of the fluent.conf file default: “/fluentd/etc”
fluentdConfFile
(string)
FluentDConfFile specifices the FluentD configuration file name to use for Vault log exportation default:
fluentdConfig
(string)
FluentDConfig specifices the FluentD configuration to use for Vault log exportation default:
watchedSecretsLabels
(object array)
WatchedSecretsLabels specifices a set of Kubernetes label selectors which select Secrets to watch. If these Secrets change the Vault cluster gets restarted. For example a Secret that Cert-Manager is managing a public Certificate for Vault using let’s Encrypt. default:
watchedSecretsAnnotations
(object array)
WatchedSecretsAnnotations specifices a set of Kubernetes annotations selectors which select Secrets to watch. If these Secrets change the Vault cluster gets restarted. For example a Secret that Cert-Manager is managing a public Certificate for Vault using let’s Encrypt. default:
annotations
(object (keys:string, values:string))
Annotations define a set of common Kubernetes annotations that will be added to all operator managed resources. default:
vaultAnnotations
(object (keys:string, values:string))
VaultAnnotations define a set of Kubernetes annotations that will be added to all Vault Pods. default:
vaultLabels
(object (keys:string, values:string))
VaultLabels define a set of Kubernetes labels that will be added to all Vault Pods. default:
VaultPodSpec is a Kubernetes Pod specification snippet (spec:
block) that will be merged into the operator generated Vault Pod specification. default:
vaultContainerSpec
(Container)
VaultContainerSpec is a Kubernetes Container specification snippet that will be merged into the operator generated Vault Container specification. default:
VaultConfigurerAnnotations define a set of Kubernetes annotations that will be added to the Vault Configurer Pod. default:
VaultConfigurerLabels define a set of Kubernetes labels that will be added to all Vault Configurer Pod. default:
VaultConfigurerPodSpec is a Kubernetes Pod specification snippet (spec:
block) that will be merged into the operator generated Vault Configurer Pod specification. default:
config
(JSON)
Config is the Vault Server configuration. See https://www.vaultproject.io/docs/configuration/ for more details. default:
externalConfig
(JSON)
ExternalConfig is higher level configuration block which instructs the Bank Vaults Configurer to configure Vault through its API, thus allows setting up: - Secret Engines - Auth Methods - Audit Devices - Plugin Backends - Policies - Startup Secrets (Bank Vaults feature)
UnsealConfig defines where the Vault cluster’s unseal keys and root token should be stored after initialization. See the type’s documentation for more details. Only one method may be specified. default: Kubernetes Secret based unsealing
CredentialsConfig defines a external Secret for Vault and how it should be mounted to the Vault Pod for example accessing Cloud resources. default:
envsConfig
(EnvVar array)
EnvsConfig is a list of Kubernetes environment variable definitions that will be passed to all Bank-Vaults pods. default:
SecurityContext is a Kubernetes PodSecurityContext that will be applied to all Pods created by the operator. default:
serviceType
(string)
ServiceType is a Kubernetes Service type of the Vault Service. default: ClusterIP
loadBalancerIP
(string)
LoadBalancerIP is an optional setting for allocating a specific address for the entry service object of type LoadBalancer default: ""
serviceRegistrationEnabled
(boolean)
serviceRegistrationEnabled enables the injection of the service_registration Vault stanza. This requires elaborated RBAC privileges for updating Pod labels for the Vault Pod. default: false
raftLeaderAddress
(string)
RaftLeaderAddress defines the leader address of the raft cluster in multi-cluster deployments. (In single cluster (namespace) deployments it is automatically detected). “self” is a special value which means that this instance should be the bootstrap leader instance. default: ""
servicePorts
(object (keys:string, values:integer))
ServicePorts is an extra map of ports that should be exposed by the Vault Service. default:
Affinity is a group of affinity scheduling rules applied to all Vault Pods. default:
podAntiAffinity
(string)
PodAntiAffinity is the TopologyKey in the Vault Pod’s PodAntiAffinity. No PodAntiAffinity is used if empty. Deprecated. Use Affinity. default:
NodeAffinity is Kubernetees NodeAffinity definition that should be applied to all Vault Pods. Deprecated. Use Affinity. default:
nodeSelector
(object (keys:string, values:string))
NodeSelector is Kubernetees NodeSelector definition that should be applied to all Vault Pods. default:
Tolerations is Kubernetes Tolerations definition that should be applied to all Vault Pods. default:
serviceAccount
(string)
ServiceAccount is Kubernetes ServiceAccount in which the Vault Pods should be running in. default: default
volumes
(Volume array)
Volumes define some extra Kubernetes Volumes for the Vault Pods. default:
VolumeMounts define some extra Kubernetes Volume mounts for the Vault Pods. default:
VolumeClaimTemplates define some extra Kubernetes PersistentVolumeClaim templates for the Vault Statefulset. default:
vaultEnvsConfig
(EnvVar array)
VaultEnvsConfig is a list of Kubernetes environment variable definitions that will be passed to the Vault container. default:
sidecarEnvsConfig
(EnvVar array)
SidecarEnvsConfig is a list of Kubernetes environment variable definitions that will be passed to Vault sidecar containers. default:
Resources defines the resource limits for all the resources created by the operator. See the type for more details. default:
Ingress, if it is specified the operator will create an Ingress resource for the Vault Service and will annotate it with the correct Ingress annotations specific to the TLS settings in the configuration. See the type for more details. default:
serviceMonitorEnabled
(boolean)
ServiceMonitorEnabled enables the creation of Prometheus Operator specific ServiceMonitor for Vault. default: false
existingTlsSecretName
(string)
ExistingTLSSecretName is name of the secret that contains a TLS server certificate and key and the corresponding CA certificate. Required secret format kubernetes.io/tls type secret keys + ca.crt key If it is set, generating certificate will be disabled default: ""
tlsExpiryThreshold
(string)
TLSExpiryThreshold is the Vault TLS certificate expiration threshold in Go’s Duration format. default: 168h
tlsAdditionalHosts
(string array)
TLSAdditionalHosts is a list of additional hostnames or IP addresses to add to the SAN on the automatically generated TLS certificate. default:
caNamespaces
(string array)
CANamespaces define a list of namespaces where the generated CA certificate for Vault should be distributed, use ["*"] for all namespaces. default:
istioEnabled
(boolean)
IstioEnabled describes if the cluster has a Istio running and enabled. default: false
veleroEnabled
(boolean)
VeleroEnabled describes if the cluster has a Velero running and enabled. default: false
veleroFsfreezeImage
(string)
VeleroFsfreezeImage specifices the Velero Fsrfeeze image to use in Velero backup hooks default: velero/fsfreeze-pause:latest
vaultContainers
(Container array)
VaultContainers add extra containers
vaultInitContainers
(Container array)
VaultInitContainers add extra initContainers
VaultUnsealConfig
VaultUnsealConfig holds the parameters for remote Vault based unsealing
Appears in:
address
(string)
unsealKeysPath
(string)
role
(string)
authPath
(string)
tokenPath
(string)
token
(string)