Documentation
¶
Overview ¶
Package v1alpha1 contains API Schema definitions for the vault.banzaicloud.com v1alpha1 API group
Index ¶
- Variables
- func Kind(kind string) schema.GroupKind
- func RegisterDefaults(scheme *runtime.Scheme) error
- func Resource(resource string) schema.GroupResource
- type AWSUnsealConfig
- type AlibabaUnsealConfig
- type AzureUnsealConfig
- type CredentialsConfig
- type EmbeddedObjectMetadata
- type EmbeddedPersistentVolumeClaim
- type EmbeddedPodSpec
- type GoogleUnsealConfig
- type HSMUnsealConfig
- type Ingress
- type KubernetesUnsealConfig
- type Resources
- type UnsealConfig
- type UnsealOptions
- type Vault
- func (vault *Vault) AsOwnerReference() metav1.OwnerReference
- func (vault *Vault) ConfigJSON() ([]byte, error)
- func (in *Vault) DeepCopy() *Vault
- func (in *Vault) DeepCopyInto(out *Vault)
- func (in *Vault) DeepCopyObject() runtime.Object
- func (vault *Vault) GetIngress() *Ingress
- func (vault *Vault) LabelsForVault() map[string]string
- func (vault *Vault) LabelsForVaultConfigurer() map[string]string
- type VaultList
- type VaultSpec
- func (in *VaultSpec) DeepCopy() *VaultSpec
- func (in *VaultSpec) DeepCopyInto(out *VaultSpec)
- func (spec *VaultSpec) ExternalConfigJSON() []byte
- func (spec *VaultSpec) GetAPIPortName() string
- func (spec *VaultSpec) GetAPIScheme() string
- func (spec *VaultSpec) GetAnnotations() map[string]string
- func (spec *VaultSpec) GetBankVaultsImage() string
- func (spec *VaultSpec) GetFluentDConfMountPath() string
- func (spec *VaultSpec) GetFluentDImage() string
- func (spec *VaultSpec) GetHAStorage() map[string]interface{}
- func (spec *VaultSpec) GetHAStorageType() string
- func (spec *VaultSpec) GetServiceAccount() string
- func (spec *VaultSpec) GetStatsDImage() string
- func (spec *VaultSpec) GetStorage() map[string]interface{}
- func (spec *VaultSpec) GetStorageType() string
- func (spec *VaultSpec) GetTLSExpiryThreshold() time.Duration
- func (spec *VaultSpec) GetVaultAnnotations() map[string]string
- func (spec *VaultSpec) GetVaultConfig() map[string]interface{}
- func (spec *VaultSpec) GetVaultConfigurerAnnotations() map[string]string
- func (spec *VaultSpec) GetVaultConfigurerLabels() map[string]string
- func (spec *VaultSpec) GetVaultImage() string
- func (spec *VaultSpec) GetVaultLabels() map[string]string
- func (spec *VaultSpec) GetVeleroFsfreezeImage() string
- func (spec *VaultSpec) GetVersion() (*semver.Version, error)
- func (spec *VaultSpec) GetVolumeClaimTemplates() []v1.PersistentVolumeClaim
- func (spec *VaultSpec) GetWatchedSecretsAnnotations() []map[string]string
- func (spec *VaultSpec) GetWatchedSecretsLabels() []map[string]string
- func (spec *VaultSpec) HasHAStorage() bool
- func (spec *VaultSpec) HasStorageHAEnabled() bool
- func (spec *VaultSpec) IsAutoUnseal() bool
- func (spec *VaultSpec) IsFluentDEnabled() bool
- func (spec *VaultSpec) IsRaftBootstrapFollower() bool
- func (spec *VaultSpec) IsRaftHAStorage() bool
- func (spec *VaultSpec) IsRaftStorage() bool
- func (spec *VaultSpec) IsStatsDDisabled() bool
- func (spec *VaultSpec) IsTLSDisabled() bool
- func (spec *VaultSpec) IsTelemetryUnauthenticated() bool
- type VaultStatus
- type VaultUnsealConfig
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // SchemeGroupVersion is group version used to register these objects SchemeGroupVersion = schema.GroupVersion{Group: "vault.banzaicloud.com", Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
View Source
var ( // DefaultBankVaultsImage defines the image used when VaultSpec.BankVaultsImage is empty. DefaultBankVaultsImage = "ghcr.io/bank-vaults/bank-vaults:latest" // HAStorageTypes is the set of storage backends supporting High Availability HAStorageTypes = map[string]bool{ "consul": true, "dynamodb": true, "etcd": true, "gcs": true, "mysql": true, "postgresql": true, "raft": true, "spanner": true, "zookeeper": true, } )
Functions ¶
func RegisterDefaults ¶
RegisterDefaults adds defaulters functions to the given scheme. Public to allow building arbitrary schemes. All generated defaulters are covering - they call all nested defaulters.
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type AWSUnsealConfig ¶
type AWSUnsealConfig struct {
KMSKeyID string `json:"kmsKeyId"`
KMSRegion string `json:"kmsRegion,omitempty"`
KMSEncryptionContext string `json:"kmsEncryptionContext,omitempty"`
S3Bucket string `json:"s3Bucket"`
S3Prefix string `json:"s3Prefix"`
S3Region string `json:"s3Region,omitempty"`
S3SSE string `json:"s3SSE,omitempty"`
}
AWSUnsealConfig holds the parameters for AWS KMS based unsealing
func (*AWSUnsealConfig) DeepCopy ¶
func (in *AWSUnsealConfig) DeepCopy() *AWSUnsealConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSUnsealConfig.
func (*AWSUnsealConfig) DeepCopyInto ¶
func (in *AWSUnsealConfig) DeepCopyInto(out *AWSUnsealConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AlibabaUnsealConfig ¶
type AlibabaUnsealConfig struct {
KMSRegion string `json:"kmsRegion"`
KMSKeyID string `json:"kmsKeyId"`
OSSEndpoint string `json:"ossEndpoint"`
OSSBucket string `json:"ossBucket"`
OSSPrefix string `json:"ossPrefix"`
}
AlibabaUnsealConfig holds the parameters for Alibaba Cloud KMS based unsealing
--alibaba-kms-region eu-central-1 --alibaba-kms-key-id 9d8063eb-f9dc-421b-be80-15d195c9f148 --alibaba-oss-endpoint oss-eu-central-1.aliyuncs.com --alibaba-oss-bucket bank-vaults
func (*AlibabaUnsealConfig) DeepCopy ¶
func (in *AlibabaUnsealConfig) DeepCopy() *AlibabaUnsealConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaUnsealConfig.
func (*AlibabaUnsealConfig) DeepCopyInto ¶
func (in *AlibabaUnsealConfig) DeepCopyInto(out *AlibabaUnsealConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AzureUnsealConfig ¶
type AzureUnsealConfig struct {
KeyVaultName string `json:"keyVaultName"`
}
AzureUnsealConfig holds the parameters for Azure Key Vault based unsealing
func (*AzureUnsealConfig) DeepCopy ¶
func (in *AzureUnsealConfig) DeepCopy() *AzureUnsealConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureUnsealConfig.
func (*AzureUnsealConfig) DeepCopyInto ¶
func (in *AzureUnsealConfig) DeepCopyInto(out *AzureUnsealConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CredentialsConfig ¶
type CredentialsConfig struct {
Env string `json:"env"`
Path string `json:"path"`
SecretName string `json:"secretName"`
}
CredentialsConfig configuration for a credentials file provided as a secret
func (*CredentialsConfig) DeepCopy ¶
func (in *CredentialsConfig) DeepCopy() *CredentialsConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialsConfig.
func (*CredentialsConfig) DeepCopyInto ¶
func (in *CredentialsConfig) DeepCopyInto(out *CredentialsConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EmbeddedObjectMetadata ¶
type EmbeddedObjectMetadata struct {
// Name must be unique within a namespace. Is required when creating resources, although
// some resources may allow a client to request the generation of an appropriate name
// automatically. Name is primarily intended for creation idempotence and configuration
// definition.
// Cannot be updated.
// More info: http://kubernetes.io/docs/user-guide/identifiers#names
// +optional
Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
// Map of string keys and values that can be used to organize and categorize
// (scope and select) objects. May match selectors of replication controllers
// and services.
// More info: http://kubernetes.io/docs/user-guide/labels
// +optional
Labels map[string]string `json:"labels,omitempty" protobuf:"bytes,11,rep,name=labels"`
// Annotations is an unstructured key value map stored with a resource that may be
// set by external tools to store and retrieve arbitrary metadata. They are not
// queryable and should be preserved when modifying objects.
// More info: http://kubernetes.io/docs/user-guide/annotations
// +optional
Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,12,rep,name=annotations"`
}
EmbeddedObjectMetadata contains a subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Only fields which are relevant to embedded resources are included. controller-gen discards embedded ObjectMetadata type fields, so we have to overcome this.
func (*EmbeddedObjectMetadata) DeepCopy ¶
func (in *EmbeddedObjectMetadata) DeepCopy() *EmbeddedObjectMetadata
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmbeddedObjectMetadata.
func (*EmbeddedObjectMetadata) DeepCopyInto ¶
func (in *EmbeddedObjectMetadata) DeepCopyInto(out *EmbeddedObjectMetadata)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EmbeddedPersistentVolumeClaim ¶
type EmbeddedPersistentVolumeClaim struct {
metav1.TypeMeta `json:",inline"`
// EmbeddedObjectMetadata contains metadata relevant to an EmbeddedResource.
EmbeddedObjectMetadata `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Spec defines the desired characteristics of a volume requested by a pod author.
// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
// +optional
Spec v1.PersistentVolumeClaimSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
EmbeddedPersistentVolumeClaim is an embeddable and controller-gen friendly version of k8s.io/api/core/v1.PersistentVolumeClaim. It contains TypeMeta and a reduced ObjectMeta.
func (*EmbeddedPersistentVolumeClaim) DeepCopy ¶
func (in *EmbeddedPersistentVolumeClaim) DeepCopy() *EmbeddedPersistentVolumeClaim
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmbeddedPersistentVolumeClaim.
func (*EmbeddedPersistentVolumeClaim) DeepCopyInto ¶
func (in *EmbeddedPersistentVolumeClaim) DeepCopyInto(out *EmbeddedPersistentVolumeClaim)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EmbeddedPodSpec ¶
type EmbeddedPodSpec struct {
// List of volumes that can be mounted by containers belonging to the pod.
// More info: https://kubernetes.io/docs/concepts/storage/volumes
// +optional
// +patchMergeKey=name
// +patchStrategy=merge,retainKeys
Volumes []v1.Volume `json:"volumes,omitempty" patchStrategy:"merge,retainKeys" patchMergeKey:"name" protobuf:"bytes,1,rep,name=volumes"`
// List of initialization containers belonging to the pod.
// Init containers are executed in order prior to containers being started. If any
// init container fails, the pod is considered to have failed and is handled according
// to its restartPolicy. The name for an init container or normal container must be
// unique among all containers.
// Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes.
// The resourceRequirements of an init container are taken into account during scheduling
// by finding the highest request/limit for each resource type, and then using the max of
// of that value or the sum of the normal containers. Limits are applied to init containers
// in a similar fashion.
// Init containers cannot currently be added or removed.
// Cannot be updated.
// More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
// +patchMergeKey=name
// +patchStrategy=merge
InitContainers []v1.Container `json:"initContainers,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,20,rep,name=initContainers"`
// List of containers belonging to the pod.
// Containers cannot currently be added or removed.
// There must be at least one container in a Pod.
// Cannot be updated.
// +patchMergeKey=name
// +patchStrategy=merge
Containers []v1.Container `json:"containers,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,2,rep,name=containers"`
// List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing
// pod to perform user-initiated actions such as debugging. This list cannot be specified when
// creating a pod, and it cannot be modified by updating the pod spec. In order to add an
// ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
EphemeralContainers []v1.EphemeralContainer `` /* 128-byte string literal not displayed */
// Restart policy for all containers within the pod.
// One of Always, OnFailure, Never.
// Default to Always.
// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
// +optional
RestartPolicy v1.RestartPolicy `json:"restartPolicy,omitempty" protobuf:"bytes,3,opt,name=restartPolicy,casttype=RestartPolicy"`
// Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request.
// Value must be non-negative integer. The value zero indicates stop immediately via
// the kill signal (no opportunity to shut down).
// If this value is nil, the default grace period will be used instead.
// The grace period is the duration in seconds after the processes running in the pod are sent
// a termination signal and the time when the processes are forcibly halted with a kill signal.
// Set this value longer than the expected cleanup time for your process.
// Defaults to 30 seconds.
// +optional
TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty" protobuf:"varint,4,opt,name=terminationGracePeriodSeconds"`
// Optional duration in seconds the pod may be active on the node relative to
// StartTime before the system will actively try to mark it failed and kill associated containers.
// Value must be a positive integer.
// +optional
ActiveDeadlineSeconds *int64 `json:"activeDeadlineSeconds,omitempty" protobuf:"varint,5,opt,name=activeDeadlineSeconds"`
// Set DNS policy for the pod.
// Defaults to "ClusterFirst".
// Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'.
// DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy.
// To have DNS options set along with hostNetwork, you have to specify DNS policy
// explicitly to 'ClusterFirstWithHostNet'.
// +optional
DNSPolicy v1.DNSPolicy `json:"dnsPolicy,omitempty" protobuf:"bytes,6,opt,name=dnsPolicy,casttype=DNSPolicy"`
// NodeSelector is a selector which must be true for the pod to fit on a node.
// Selector which must match a node's labels for the pod to be scheduled on that node.
// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
// +optional
// +mapType=atomic
NodeSelector map[string]string `json:"nodeSelector,omitempty" protobuf:"bytes,7,rep,name=nodeSelector"`
// ServiceAccountName is the name of the ServiceAccount to use to run this pod.
// More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
// +optional
ServiceAccountName string `json:"serviceAccountName,omitempty" protobuf:"bytes,8,opt,name=serviceAccountName"`
// DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
// Deprecated: Use serviceAccountName instead.
// +k8s:conversion-gen=false
// +optional
DeprecatedServiceAccount string `json:"serviceAccount,omitempty" protobuf:"bytes,9,opt,name=serviceAccount"`
// AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
// +optional
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty" protobuf:"varint,21,opt,name=automountServiceAccountToken"`
// NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
// the scheduler simply schedules this pod onto that node, assuming that it fits resource
// requirements.
// +optional
NodeName string `json:"nodeName,omitempty" protobuf:"bytes,10,opt,name=nodeName"`
// Host networking requested for this pod. Use the host's network namespace.
// If this option is set, the ports that will be used must be specified.
// Default to false.
// +k8s:conversion-gen=false
// +optional
HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,11,opt,name=hostNetwork"`
// Use the host's pid namespace.
// Optional: Default to false.
// +k8s:conversion-gen=false
// +optional
HostPID bool `json:"hostPID,omitempty" protobuf:"varint,12,opt,name=hostPID"`
// Use the host's ipc namespace.
// Optional: Default to false.
// +k8s:conversion-gen=false
// +optional
HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,13,opt,name=hostIPC"`
// When this is set containers will be able to view and signal processes from other containers
// in the same pod, and the first process in each container will not be assigned PID 1.
// HostPID and ShareProcessNamespace cannot both be set.
// Optional: Default to false.
// +k8s:conversion-gen=false
// +optional
ShareProcessNamespace *bool `json:"shareProcessNamespace,omitempty" protobuf:"varint,27,opt,name=shareProcessNamespace"`
// SecurityContext holds pod-level security attributes and common container settings.
// Optional: Defaults to empty. See type description for default values of each field.
// +optional
SecurityContext *v1.PodSecurityContext `json:"securityContext,omitempty" protobuf:"bytes,14,opt,name=securityContext"`
// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
// If specified, these secrets will be passed to individual puller implementations for them to use.
// More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
ImagePullSecrets []v1.LocalObjectReference `json:"imagePullSecrets,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,15,rep,name=imagePullSecrets"`
// Specifies the hostname of the Pod
// If not specified, the pod's hostname will be set to a system-defined value.
// +optional
Hostname string `json:"hostname,omitempty" protobuf:"bytes,16,opt,name=hostname"`
// If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>".
// If not specified, the pod will not have a domainname at all.
// +optional
Subdomain string `json:"subdomain,omitempty" protobuf:"bytes,17,opt,name=subdomain"`
// If specified, the pod's scheduling constraints
// +optional
Affinity *v1.Affinity `json:"affinity,omitempty" protobuf:"bytes,18,opt,name=affinity"`
// If specified, the pod will be dispatched by specified scheduler.
// If not specified, the pod will be dispatched by default scheduler.
// +optional
SchedulerName string `json:"schedulerName,omitempty" protobuf:"bytes,19,opt,name=schedulerName"`
// If specified, the pod's tolerations.
// +optional
Tolerations []v1.Toleration `json:"tolerations,omitempty" protobuf:"bytes,22,opt,name=tolerations"`
// HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
// file if specified. This is only valid for non-hostNetwork pods.
// +optional
// +patchMergeKey=ip
// +patchStrategy=merge
HostAliases []v1.HostAlias `json:"hostAliases,omitempty" patchStrategy:"merge" patchMergeKey:"ip" protobuf:"bytes,23,rep,name=hostAliases"`
// If specified, indicates the pod's priority. "system-node-critical" and
// "system-cluster-critical" are two special keywords which indicate the
// highest priorities with the former being the highest priority. Any other
// name must be defined by creating a PriorityClass object with that name.
// If not specified, the pod priority will be default or zero if there is no
// default.
// +optional
PriorityClassName string `json:"priorityClassName,omitempty" protobuf:"bytes,24,opt,name=priorityClassName"`
// The priority value. Various system components use this field to find the
// priority of the pod. When Priority Admission Controller is enabled, it
// prevents users from setting this field. The admission controller populates
// this field from PriorityClassName.
// The higher the value, the higher the priority.
// +optional
Priority *int32 `json:"priority,omitempty" protobuf:"bytes,25,opt,name=priority"`
// Specifies the DNS parameters of a pod.
// Parameters specified here will be merged to the generated DNS
// configuration based on DNSPolicy.
// +optional
DNSConfig *v1.PodDNSConfig `json:"dnsConfig,omitempty" protobuf:"bytes,26,opt,name=dnsConfig"`
// If specified, all readiness gates will be evaluated for pod readiness.
// A pod is ready when all its containers are ready AND
// all conditions specified in the readiness gates have status equal to "True"
// More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates
// +optional
ReadinessGates []v1.PodReadinessGate `json:"readinessGates,omitempty" protobuf:"bytes,28,opt,name=readinessGates"`
// RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used
// to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run.
// If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an
// empty definition that uses the default runtime handler.
// More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
// +optional
RuntimeClassName *string `json:"runtimeClassName,omitempty" protobuf:"bytes,29,opt,name=runtimeClassName"`
// EnableServiceLinks indicates whether information about services should be injected into pod's
// environment variables, matching the syntax of Docker links.
// Optional: Defaults to true.
// +optional
EnableServiceLinks *bool `json:"enableServiceLinks,omitempty" protobuf:"varint,30,opt,name=enableServiceLinks"`
// PreemptionPolicy is the Policy for preempting pods with lower priority.
// One of Never, PreemptLowerPriority.
// Defaults to PreemptLowerPriority if unset.
// +optional
PreemptionPolicy *v1.PreemptionPolicy `json:"preemptionPolicy,omitempty" protobuf:"bytes,31,opt,name=preemptionPolicy"`
// Overhead represents the resource overhead associated with running a pod for a given RuntimeClass.
// This field will be autopopulated at admission time by the RuntimeClass admission controller. If
// the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests.
// The RuntimeClass admission controller will reject Pod create requests which have the overhead already
// set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value
// defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero.
// More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
// +optional
Overhead v1.ResourceList `json:"overhead,omitempty" protobuf:"bytes,32,opt,name=overhead"`
// TopologySpreadConstraints describes how a group of pods ought to spread across topology
// domains. Scheduler will schedule pods in a way which abides by the constraints.
// All topologySpreadConstraints are ANDed.
// +optional
// +patchMergeKey=topologyKey
// +patchStrategy=merge
// +listType=map
// +listMapKey=topologyKey
// +listMapKey=whenUnsatisfiable
TopologySpreadConstraints []v1.TopologySpreadConstraint `` /* 147-byte string literal not displayed */
// If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default).
// In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname).
// In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters to FQDN.
// If a pod does not have FQDN, this has no effect.
// Default to false.
// +optional
SetHostnameAsFQDN *bool `json:"setHostnameAsFQDN,omitempty" protobuf:"varint,35,opt,name=setHostnameAsFQDN"`
// Specifies the OS of the containers in the pod.
// Some pod and container fields are restricted if this is set.
//
// If the OS field is set to linux, the following fields must be unset:
// -securityContext.windowsOptions
//
// If the OS field is set to windows, following fields must be unset:
// - spec.hostPID
// - spec.hostIPC
// - spec.hostUsers
// - spec.securityContext.seLinuxOptions
// - spec.securityContext.seccompProfile
// - spec.securityContext.fsGroup
// - spec.securityContext.fsGroupChangePolicy
// - spec.securityContext.sysctls
// - spec.shareProcessNamespace
// - spec.securityContext.runAsUser
// - spec.securityContext.runAsGroup
// - spec.securityContext.supplementalGroups
// - spec.containers[*].securityContext.seLinuxOptions
// - spec.containers[*].securityContext.seccompProfile
// - spec.containers[*].securityContext.capabilities
// - spec.containers[*].securityContext.readOnlyRootFilesystem
// - spec.containers[*].securityContext.privileged
// - spec.containers[*].securityContext.allowPrivilegeEscalation
// - spec.containers[*].securityContext.procMount
// - spec.containers[*].securityContext.runAsUser
// - spec.containers[*].securityContext.runAsGroup
// +optional
OS *v1.PodOS `json:"os,omitempty" protobuf:"bytes,36,opt,name=os"`
// Use the host's user namespace.
// Optional: Default to true.
// If set to true or not present, the pod will be run in the host user namespace, useful
// for when the pod needs a feature only available to the host user namespace, such as
// loading a kernel module with CAP_SYS_MODULE.
// When set to false, a new userns is created for the pod. Setting false is useful for
// mitigating container breakout vulnerabilities even allowing users to run their
// containers as root without actually having root privileges on the host.
// This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature.
// +k8s:conversion-gen=false
// +optional
HostUsers *bool `json:"hostUsers,omitempty" protobuf:"bytes,37,opt,name=hostUsers"`
// SchedulingGates is an opaque list of values that if specified will block scheduling the pod.
// More info: https://git.k8s.io/enhancements/keps/sig-scheduling/3521-pod-scheduling-readiness.
//
// This is an alpha-level feature enabled by PodSchedulingReadiness feature gate.
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
SchedulingGates []v1.PodSchedulingGate `json:"schedulingGates,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,38,opt,name=schedulingGates"`
// ResourceClaims defines which ResourceClaims must be allocated
// and reserved before the Pod is allowed to start. The resources
// will be made available to those containers which consume them
// by name.
//
// This is an alpha field and requires enabling the
// DynamicResourceAllocation feature gate.
//
// This field is immutable.
//
// +patchMergeKey=name
// +patchStrategy=merge,retainKeys
// +listType=map
// +listMapKey=name
// +featureGate=DynamicResourceAllocation
// +optional
ResourceClaims []v1.PodResourceClaim `` /* 129-byte string literal not displayed */
}
EmbeddedPodSpec is a description of a pod, which allows containers to be missing, almost as k8s.io/api/core/v1.PodSpec.
func (*EmbeddedPodSpec) DeepCopy ¶
func (in *EmbeddedPodSpec) DeepCopy() *EmbeddedPodSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmbeddedPodSpec.
func (*EmbeddedPodSpec) DeepCopyInto ¶
func (in *EmbeddedPodSpec) DeepCopyInto(out *EmbeddedPodSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GoogleUnsealConfig ¶
type GoogleUnsealConfig struct {
KMSKeyRing string `json:"kmsKeyRing"`
KMSCryptoKey string `json:"kmsCryptoKey"`
KMSLocation string `json:"kmsLocation"`
KMSProject string `json:"kmsProject"`
StorageBucket string `json:"storageBucket"`
}
GoogleUnsealConfig holds the parameters for Google KMS based unsealing
func (*GoogleUnsealConfig) DeepCopy ¶
func (in *GoogleUnsealConfig) DeepCopy() *GoogleUnsealConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GoogleUnsealConfig.
func (*GoogleUnsealConfig) DeepCopyInto ¶
func (in *GoogleUnsealConfig) DeepCopyInto(out *GoogleUnsealConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type HSMUnsealConfig ¶
type HSMUnsealConfig struct {
Daemon bool `json:"daemon,omitempty"`
ModulePath string `json:"modulePath"`
SlotID uint `json:"slotId,omitempty"`
TokenLabel string `json:"tokenLabel,omitempty"`
// +optional
Pin string `json:"pin"`
KeyLabel string `json:"keyLabel"`
}
HSMUnsealConfig holds the parameters for remote HSM based unsealing
func (*HSMUnsealConfig) DeepCopy ¶
func (in *HSMUnsealConfig) DeepCopy() *HSMUnsealConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HSMUnsealConfig.
func (*HSMUnsealConfig) DeepCopyInto ¶
func (in *HSMUnsealConfig) DeepCopyInto(out *HSMUnsealConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Ingress ¶
type Ingress struct {
Annotations map[string]string `json:"annotations,omitempty"`
Spec netv1.IngressSpec `json:"spec,omitempty"`
}
Ingress specification for the Vault cluster
func (*Ingress) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Ingress.
func (*Ingress) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KubernetesUnsealConfig ¶
type KubernetesUnsealConfig struct {
SecretNamespace string `json:"secretNamespace,omitempty"`
SecretName string `json:"secretName,omitempty"`
}
KubernetesUnsealConfig holds the parameters for Kubernetes based unsealing
func (*KubernetesUnsealConfig) DeepCopy ¶
func (in *KubernetesUnsealConfig) DeepCopy() *KubernetesUnsealConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesUnsealConfig.
func (*KubernetesUnsealConfig) DeepCopyInto ¶
func (in *KubernetesUnsealConfig) DeepCopyInto(out *KubernetesUnsealConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Resources ¶
type Resources struct {
Vault *v1.ResourceRequirements `json:"vault,omitempty"`
BankVaults *v1.ResourceRequirements `json:"bankVaults,omitempty"`
HSMDaemon *v1.ResourceRequirements `json:"hsmDaemon,omitempty"`
PrometheusExporter *v1.ResourceRequirements `json:"prometheusExporter,omitempty"`
FluentD *v1.ResourceRequirements `json:"fluentd,omitempty"`
}
Resources holds different container's ResourceRequirements
func (*Resources) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources.
func (*Resources) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type UnsealConfig ¶
type UnsealConfig struct {
Options UnsealOptions `json:"options,omitempty"`
Kubernetes KubernetesUnsealConfig `json:"kubernetes,omitempty"`
Google *GoogleUnsealConfig `json:"google,omitempty"`
Alibaba *AlibabaUnsealConfig `json:"alibaba,omitempty"`
Azure *AzureUnsealConfig `json:"azure,omitempty"`
AWS *AWSUnsealConfig `json:"aws,omitempty"`
Vault *VaultUnsealConfig `json:"vault,omitempty"`
HSM *HSMUnsealConfig `json:"hsm,omitempty"`
}
UnsealConfig represents the UnsealConfig field of a VaultSpec Kubernetes object
func (*UnsealConfig) DeepCopy ¶
func (in *UnsealConfig) DeepCopy() *UnsealConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UnsealConfig.
func (*UnsealConfig) DeepCopyInto ¶
func (in *UnsealConfig) DeepCopyInto(out *UnsealConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*UnsealConfig) HSMDaemonNeeded ¶
func (usc *UnsealConfig) HSMDaemonNeeded() bool
HSMDaemonNeeded returns if the unsealing mechanims needs a HSM Daemon present
func (*UnsealConfig) ToArgs ¶
func (usc *UnsealConfig) ToArgs(vault *Vault) []string
ToArgs returns the UnsealConfig as and argument array for bank-vaults
type UnsealOptions ¶
type UnsealOptions struct {
PreFlightChecks *bool `json:"preFlightChecks,omitempty"`
StoreRootToken *bool `json:"storeRootToken,omitempty"`
SecretThreshold *uint `json:"secretThreshold,omitempty"`
}
UnsealOptions represents the common options to all unsealing backends
func (*UnsealOptions) DeepCopy ¶
func (in *UnsealOptions) DeepCopy() *UnsealOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UnsealOptions.
func (*UnsealOptions) DeepCopyInto ¶
func (in *UnsealOptions) DeepCopyInto(out *UnsealOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Vault ¶
type Vault struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec VaultSpec `json:"spec,omitempty"`
Status VaultStatus `json:"status,omitempty"`
}
Vault is the Schema for the vaults API
func (*Vault) AsOwnerReference ¶
func (vault *Vault) AsOwnerReference() metav1.OwnerReference
AsOwnerReference returns this Vault instance as an OwnerReference
func (*Vault) ConfigJSON ¶
ConfigJSON returns the Config field as a JSON string
func (*Vault) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Vault.
func (*Vault) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Vault) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*Vault) GetIngress ¶
GetIngress the Ingress configuration for Vault if any
func (*Vault) LabelsForVault ¶
LabelsForVault returns the labels for selecting the resources belonging to the given vault CR name.
func (*Vault) LabelsForVaultConfigurer ¶
LabelsForVaultConfigurer returns the labels for selecting the resources belonging to the given vault CR name.
type VaultList ¶
type VaultList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Vault `json:"items"`
}
VaultList contains a list of Vault
func (*VaultList) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultList.
func (*VaultList) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultList) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VaultSpec ¶
type VaultSpec struct {
// Size defines the number of Vault instances in the cluster (>= 1 means HA)
// default: 1
Size int32 `json:"size,omitempty"`
// Image specifies the Vault image to use for the Vault instances
// default: hashicorp/vault:latest
Image string `json:"image,omitempty"`
// BankVaultsImage specifies the Bank Vaults image to use for Vault unsealing and configuration
// default: ghcr.io/bank-vaults/bank-vaults:latest
BankVaultsImage string `json:"bankVaultsImage,omitempty"`
// BankVaultsVolumeMounts define some extra Kubernetes Volume mounts for the Bank Vaults Sidecar container.
// default:
BankVaultsVolumeMounts []v1.VolumeMount `json:"bankVaultsVolumeMounts,omitempty"`
// StatsDDisabled specifies if StatsD based metrics should be disabled
// default: false
StatsDDisabled bool `json:"statsdDisabled,omitempty"`
// StatsDImage specifices the StatsD image to use for Vault metrics exportation
// default: prom/statsd-exporter:latest
StatsDImage string `json:"statsdImage,omitempty"`
// StatsdConfig specifices the StatsD mapping configuration
// default:
StatsdConfig string `json:"statsdConfig,omitempty"`
// FluentDEnabled specifies if FluentD based log exportation should be enabled
// default: false
FluentDEnabled bool `json:"fluentdEnabled,omitempty"`
// FluentDImage specifices the FluentD image to use for Vault log exportation
// default: fluent/fluentd:edge
FluentDImage string `json:"fluentdImage,omitempty"`
// FluentDConfLocation is the location of the fluent.conf file
// default: "/fluentd/etc"
FluentDConfLocation string `json:"fluentdConfLocation,omitempty"`
// FluentDConfFile specifices the FluentD configuration file name to use for Vault log exportation
// default:
FluentDConfFile string `json:"fluentdConfFile,omitempty"`
// FluentDConfig specifices the FluentD configuration to use for Vault log exportation
// default:
FluentDConfig string `json:"fluentdConfig,omitempty"`
// WatchedSecretsLabels specifices a set of Kubernetes label selectors which select Secrets to watch.
// If these Secrets change the Vault cluster gets restarted. For example a Secret that Cert-Manager is
// managing a public Certificate for Vault using let's Encrypt.
// default:
WatchedSecretsLabels []map[string]string `json:"watchedSecretsLabels,omitempty"`
// WatchedSecretsAnnotations specifices a set of Kubernetes annotations selectors which select Secrets to watch.
// If these Secrets change the Vault cluster gets restarted. For example a Secret that Cert-Manager is
// managing a public Certificate for Vault using let's Encrypt.
// default:
WatchedSecretsAnnotations []map[string]string `json:"watchedSecretsAnnotations,omitempty"`
// Annotations define a set of common Kubernetes annotations that will be added to all operator managed resources.
// default:
Annotations map[string]string `json:"annotations,omitempty"`
// VaultAnnotations define a set of Kubernetes annotations that will be added to all Vault Pods.
// default:
VaultAnnotations map[string]string `json:"vaultAnnotations,omitempty"`
// VaultLabels define a set of Kubernetes labels that will be added to all Vault Pods.
// default:
VaultLabels map[string]string `json:"vaultLabels,omitempty"`
// VaultPodSpec is a Kubernetes Pod specification snippet (`spec:` block) that will be merged into the operator generated
// Vault Pod specification.
// default:
VaultPodSpec *EmbeddedPodSpec `json:"vaultPodSpec,omitempty"`
// VaultContainerSpec is a Kubernetes Container specification snippet that will be merged into the operator generated
// Vault Container specification.
// default:
VaultContainerSpec v1.Container `json:"vaultContainerSpec,omitempty"`
// VaultConfigurerAnnotations define a set of Kubernetes annotations that will be added to the Vault Configurer Pod.
// default:
VaultConfigurerAnnotations map[string]string `json:"vaultConfigurerAnnotations,omitempty"`
// VaultConfigurerLabels define a set of Kubernetes labels that will be added to all Vault Configurer Pod.
// default:
VaultConfigurerLabels map[string]string `json:"vaultConfigurerLabels,omitempty"`
// VaultConfigurerPodSpec is a Kubernetes Pod specification snippet (`spec:` block) that will be merged into
// the operator generated Vault Configurer Pod specification.
// default:
VaultConfigurerPodSpec *EmbeddedPodSpec `json:"vaultConfigurerPodSpec,omitempty"`
// Config is the Vault Server configuration. See https://www.vaultproject.io/docs/configuration/ for more details.
// default:
Config extv1beta1.JSON `json:"config"`
// ExternalConfig is higher level configuration block which instructs the Bank Vaults Configurer to configure Vault
// through its API, thus allows setting up:
// - Secret Engines
// - Auth Methods
// - Audit Devices
// - Plugin Backends
// - Policies
// - Startup Secrets (Bank Vaults feature)
// A documented example: https://github.com/bank-vaults/vault-operator/blob/main/vault-config.yml
// default:
ExternalConfig extv1beta1.JSON `json:"externalConfig,omitempty"`
// UnsealConfig defines where the Vault cluster's unseal keys and root token should be stored after initialization.
// See the type's documentation for more details. Only one method may be specified.
// default: Kubernetes Secret based unsealing
UnsealConfig UnsealConfig `json:"unsealConfig,omitempty"`
// CredentialsConfig defines a external Secret for Vault and how it should be mounted to the Vault Pod
// for example accessing Cloud resources.
// default:
CredentialsConfig CredentialsConfig `json:"credentialsConfig,omitempty"`
// EnvsConfig is a list of Kubernetes environment variable definitions that will be passed to all Bank-Vaults pods.
// default:
EnvsConfig []v1.EnvVar `json:"envsConfig,omitempty"`
// SecurityContext is a Kubernetes PodSecurityContext that will be applied to all Pods created by the operator.
// default:
SecurityContext v1.PodSecurityContext `json:"securityContext,omitempty"`
// ServiceType is a Kubernetes Service type of the Vault Service.
// default: ClusterIP
ServiceType string `json:"serviceType,omitempty"`
// LoadBalancerIP is an optional setting for allocating a specific address for the entry service object
// of type LoadBalancer
// default: ""
LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
// serviceRegistrationEnabled enables the injection of the service_registration Vault stanza.
// This requires elaborated RBAC privileges for updating Pod labels for the Vault Pod.
// default: false
ServiceRegistrationEnabled bool `json:"serviceRegistrationEnabled,omitempty"`
// RaftLeaderAddress defines the leader address of the raft cluster in multi-cluster deployments.
// (In single cluster (namespace) deployments it is automatically detected).
// "self" is a special value which means that this instance should be the bootstrap leader instance.
// default: ""
RaftLeaderAddress string `json:"raftLeaderAddress,omitempty"`
// ServicePorts is an extra map of ports that should be exposed by the Vault Service.
// default:
ServicePorts map[string]int32 `json:"servicePorts,omitempty"`
// Affinity is a group of affinity scheduling rules applied to all Vault Pods.
// default:
Affinity *v1.Affinity `json:"affinity,omitempty"`
// PodAntiAffinity is the TopologyKey in the Vault Pod's PodAntiAffinity.
// No PodAntiAffinity is used if empty.
// Deprecated. Use Affinity.
// default:
PodAntiAffinity string `json:"podAntiAffinity,omitempty"`
// NodeAffinity is Kubernetees NodeAffinity definition that should be applied to all Vault Pods.
// Deprecated. Use Affinity.
// default:
NodeAffinity v1.NodeAffinity `json:"nodeAffinity,omitempty"`
// NodeSelector is Kubernetees NodeSelector definition that should be applied to all Vault Pods.
// default:
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
// Tolerations is Kubernetes Tolerations definition that should be applied to all Vault Pods.
// default:
Tolerations []v1.Toleration `json:"tolerations,omitempty"`
// ServiceAccount is Kubernetes ServiceAccount in which the Vault Pods should be running in.
// default: default
ServiceAccount string `json:"serviceAccount,omitempty"`
// Volumes define some extra Kubernetes Volumes for the Vault Pods.
// default:
Volumes []v1.Volume `json:"volumes,omitempty"`
// VolumeMounts define some extra Kubernetes Volume mounts for the Vault Pods.
// default:
VolumeMounts []v1.VolumeMount `json:"volumeMounts,omitempty"`
// VolumeClaimTemplates define some extra Kubernetes PersistentVolumeClaim templates for the Vault Statefulset.
// default:
VolumeClaimTemplates []EmbeddedPersistentVolumeClaim `json:"volumeClaimTemplates,omitempty"`
// DEPRECATED: Use SecretInitsConfig instead
// VaultEnvsConfig is a list of Kubernetes environment variable definitions that will be passed to the Vault container.
// default:
VaultEnvsConfig []v1.EnvVar `json:"vaultEnvsConfig,omitempty"`
// SecretInitsConfig is a list of Kubernetes environment variable definitions that will be passed to the Vault container.
// default:
SecretInitsConfig []v1.EnvVar `json:"secretInitsConfig,omitempty"`
// SidecarEnvsConfig is a list of Kubernetes environment variable definitions that will be passed to Vault sidecar containers.
// default:
SidecarEnvsConfig []v1.EnvVar `json:"sidecarEnvsConfig,omitempty"`
// Resources defines the resource limits for all the resources created by the operator.
// See the type for more details.
// default:
Resources *Resources `json:"resources,omitempty"`
// Ingress, if it is specified the operator will create an Ingress resource for the Vault Service and
// will annotate it with the correct Ingress annotations specific to the TLS settings in the configuration.
// See the type for more details.
// default:
Ingress *Ingress `json:"ingress,omitempty"`
// ServiceMonitorEnabled enables the creation of Prometheus Operator specific ServiceMonitor for Vault.
// default: false
ServiceMonitorEnabled bool `json:"serviceMonitorEnabled,omitempty"`
// ExistingTLSSecretName is name of the secret that contains a TLS server certificate and key and the corresponding CA certificate.
// Required secret format kubernetes.io/tls type secret keys + ca.crt key
// If it is set, generating certificate will be disabled
// default: ""
ExistingTLSSecretName string `json:"existingTlsSecretName,omitempty"`
// TLSExpiryThreshold is the Vault TLS certificate expiration threshold in Go's Duration format.
// default: 168h
TLSExpiryThreshold string `json:"tlsExpiryThreshold,omitempty"`
// TLSAdditionalHosts is a list of additional hostnames or IP addresses to add to the SAN on the automatically generated TLS certificate.
// default:
TLSAdditionalHosts []string `json:"tlsAdditionalHosts,omitempty"`
// CANamespaces define a list of namespaces where the generated CA certificate for Vault should be distributed,
// use ["*"] for all namespaces.
// default:
CANamespaces []string `json:"caNamespaces,omitempty"`
// IstioEnabled describes if the cluster has a Istio running and enabled.
// default: false
IstioEnabled bool `json:"istioEnabled,omitempty"`
// VeleroEnabled describes if the cluster has a Velero running and enabled.
// default: false
VeleroEnabled bool `json:"veleroEnabled,omitempty"`
// VeleroFsfreezeImage specifices the Velero Fsrfeeze image to use in Velero backup hooks
// default: velero/fsfreeze-pause:latest
VeleroFsfreezeImage string `json:"veleroFsfreezeImage,omitempty"`
// VaultContainers add extra containers
VaultContainers []v1.Container `json:"vaultContainers,omitempty"`
// VaultInitContainers add extra initContainers
VaultInitContainers []v1.Container `json:"vaultInitContainers,omitempty"`
}
VaultSpec defines the desired state of Vault
func (*VaultSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultSpec.
func (*VaultSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultSpec) ExternalConfigJSON ¶
ExternalConfigJSON returns the ExternalConfig field as a JSON string
func (*VaultSpec) GetAPIPortName ¶
GetAPIPortName returns the main Vault port name based on Istio and TLS settings
func (*VaultSpec) GetAPIScheme ¶
GetAPIScheme returns if Vault's API address should be called on http or https
func (*VaultSpec) GetAnnotations ¶
GetAnnotations returns the Common Annotations
func (*VaultSpec) GetBankVaultsImage ¶
GetBankVaultsImage returns the bank-vaults image to use
func (*VaultSpec) GetFluentDConfMountPath ¶
GetFluentDConfMountPath returns the mount path for the fluent.conf
func (*VaultSpec) GetFluentDImage ¶
GetFluentDImage returns the FluentD image to use
func (*VaultSpec) GetHAStorage ¶
GetHAStorage returns Vault's ha_storage stanza
func (*VaultSpec) GetHAStorageType ¶
GetHAStorageType returns the type of Vault's ha_storage stanza
func (*VaultSpec) GetServiceAccount ¶
GetServiceAccount returns the Kubernetes Service Account to use for Vault
func (*VaultSpec) GetStatsDImage ¶
GetStatsDImage returns the StatsD image to use
func (*VaultSpec) GetStorage ¶
GetStorage returns Vault's storage stanza
func (*VaultSpec) GetStorageType ¶
GetStorageType returns the type of Vault's storage stanza
func (*VaultSpec) GetTLSExpiryThreshold ¶
GetTLSExpiryThreshold returns the Vault TLS certificate expiration threshold
func (*VaultSpec) GetVaultAnnotations ¶
GetVaultAnnotations returns the Vault Pod , Secret and ConfigMap Annotations
func (*VaultSpec) GetVaultConfig ¶
func (*VaultSpec) GetVaultConfigurerAnnotations ¶
GetVaultConfigurerAnnotations returns the Vault Configurer Pod Annotations
func (*VaultSpec) GetVaultConfigurerLabels ¶
GetVaultConfigurerLabels returns the Vault Configurer Pod Labels
func (*VaultSpec) GetVaultImage ¶
GetVaultImage returns the Vault image to use
func (*VaultSpec) GetVaultLabels ¶
GetVaultLabels returns the Vault Pod, Secret and ConfigMap Labels
func (*VaultSpec) GetVeleroFsfreezeImage ¶
GetVeleroFsfreezeImage returns the Velero Fsreeze image to use
func (*VaultSpec) GetVersion ¶
GetVersion returns the version of Vault
func (*VaultSpec) GetVolumeClaimTemplates ¶
func (spec *VaultSpec) GetVolumeClaimTemplates() []v1.PersistentVolumeClaim
GetVolumeClaimTemplates fixes the "status diff" in PVC templates
func (*VaultSpec) GetWatchedSecretsAnnotations ¶
GetWatchedSecretsAnnotations returns the set of annotations for secrets to watch in the vault namespace
func (*VaultSpec) GetWatchedSecretsLabels ¶
GetWatchedSecretsLabels returns the set of labels for secrets to watch in the vault namespace
func (*VaultSpec) HasHAStorage ¶
HasHAStorage detects if Vault is configured to use a storage backend which supports High Availability or if it has ha_storage stanza, then doesn't check for ha_enabled flag
func (*VaultSpec) HasStorageHAEnabled ¶
HasStorageHAEnabled detects if the ha_enabled field is set to true in Vault's storage stanza
func (*VaultSpec) IsAutoUnseal ¶
IsAutoUnseal checks if auto-unseal is configured
func (*VaultSpec) IsFluentDEnabled ¶
IsFluentDEnabled returns true if fluentd sidecar is to be deployed
func (*VaultSpec) IsRaftBootstrapFollower ¶
IsRaftBootstrapFollower checks if this cluster should be considered the bootstrap follower.
func (*VaultSpec) IsRaftHAStorage ¶
IsRaftHAStorage checks if raft ha_storage is configured
func (*VaultSpec) IsRaftStorage ¶
IsRaftStorage checks if raft storage is configured
func (*VaultSpec) IsStatsDDisabled ¶
IsStatsDDisabled returns false if statsd sidecar is to be deployed
func (*VaultSpec) IsTLSDisabled ¶
IsTLSDisabled returns if Vault's TLS should be disabled
func (*VaultSpec) IsTelemetryUnauthenticated ¶
IsTelemetryUnauthenticated returns if Vault's telemetry endpoint can be accessed publicly
type VaultStatus ¶
type VaultStatus struct {
// Important: Run "make generate-code" to regenerate code after modifying this file
Nodes []string `json:"nodes"`
Leader string `json:"leader"`
Conditions []v1.ComponentCondition `json:"conditions,omitempty"`
}
VaultStatus defines the observed state of Vault
func (*VaultStatus) DeepCopy ¶
func (in *VaultStatus) DeepCopy() *VaultStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultStatus.
func (*VaultStatus) DeepCopyInto ¶
func (in *VaultStatus) DeepCopyInto(out *VaultStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultUnsealConfig ¶
type VaultUnsealConfig struct {
Address string `json:"address"`
UnsealKeysPath string `json:"unsealKeysPath"`
Role string `json:"role,omitempty"`
AuthPath string `json:"authPath,omitempty"`
TokenPath string `json:"tokenPath,omitempty"`
Token string `json:"token,omitempty"`
}
VaultUnsealConfig holds the parameters for remote Vault based unsealing
func (*VaultUnsealConfig) DeepCopy ¶
func (in *VaultUnsealConfig) DeepCopy() *VaultUnsealConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultUnsealConfig.
func (*VaultUnsealConfig) DeepCopyInto ¶
func (in *VaultUnsealConfig) DeepCopyInto(out *VaultUnsealConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files
Click to show internal directories.
Click to hide internal directories.