From 17422f9ad1762523f136b9b0e3f0fb848b6b0bc4 Mon Sep 17 00:00:00 2001 From: Iossif Benbassat Date: Fri, 24 Oct 2025 14:30:55 +0300 Subject: [PATCH 01/11] empty change to test pipeline --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index f877ffd8..bc390a34 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,9 @@ go run main.go agent --agent-config-file ./path/to/agent/config/file.yaml -p 0h1 You can configure the agent to perform one data gathering loop and output the data to a local file: + + + ```bash go run . agent \ --agent-config-file examples/one-shot-secret.yaml \ From be05d3c2b7fb46644b066b7aac2b56199bfc140a Mon Sep 17 00:00:00 2001 From: Iossif Benbassat Date: Fri, 24 Oct 2025 17:18:15 +0300 Subject: [PATCH 02/11] update and generate crds --- README.md | 10 +- RELEASE.md | 28 +- .../charts/venafi-kubernetes-agent/Chart.yaml | 2 +- .../charts/venafi-kubernetes-agent/README.md | 25 +- .../jetstack.io_venaficonnections.yaml | 2777 +++++++++-------- ...fi-connection-crd.without-validations.yaml | 116 +- .../templates/venafi-connection-crd.yaml | 117 +- .../values.schema.json | 14 +- .../venafi-kubernetes-agent/values.yaml | 26 +- pkg/client/client_venafi_cloud.go | 2 +- 10 files changed, 1588 insertions(+), 1529 deletions(-) diff --git a/README.md b/README.md index bc390a34..83ebe80a 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Venafi Kubernetes Agent +# Discovery Agent [![tests](https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml/badge.svg?branch=master&event=push)](https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml) [![Go Reference](https://pkg.go.dev/badge/github.com/jetstack/jetstack-secure.svg)](https://pkg.go.dev/github.com/jetstack/jetstack-secure) @@ -22,9 +22,6 @@ go run main.go agent --agent-config-file ./path/to/agent/config/file.yaml -p 0h1 You can configure the agent to perform one data gathering loop and output the data to a local file: - - - ```bash go run . agent \ --agent-config-file examples/one-shot-secret.yaml \ @@ -33,6 +30,7 @@ go run . agent \ ``` > Some examples of agent configuration files: +> > - [./agent.yaml](./agent.yaml). > - [./examples/one-shot-secret.yaml](./examples/one-shot-secret.yaml). > - [./examples/cert-manager-agent.yaml](./examples/cert-manager-agent.yaml). @@ -64,5 +62,5 @@ The following metrics are collected: An end to end test script is available in the [./hack/e2e/test.sh](./hack/e2e/test.sh) directory. It is configured to run in CI in the tests.yaml GitHub Actions workflow. To run the script you will need to add the `test-e2e` label to the PR. -The script creates a cluster in GKE and cleanups after itself unless the `keep-e2e-cluster` label is set on the PR. Adding that -label will leave the cluster running for further debugging but it will incur costs so manually delete the cluster when done. \ No newline at end of file +The script creates a cluster in GKE and cleanups after itself unless the `keep-e2e-cluster` label is set on the PR. Adding that +label will leave the cluster running for further debugging but it will incur costs so manually delete the cluster when done. diff --git a/RELEASE.md b/RELEASE.md index 529f7e65..6cce6548 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -10,6 +10,7 @@ The release process is semi-automated. > [!NOTE] > > Upon pushing the tag, a GitHub Action will do the following: +> > - Build and publish the container image: `quay.io/jetstack/venafi-agent`, > - Build and publish the Helm chart: `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`, > - Build and publish the container image: `quay.io/jetstack/disco-agent`, @@ -20,28 +21,30 @@ The release process is semi-automated. You will need to install `go-mod-upgrade`: - ```bash - go install github.com/oligot/go-mod-upgrade@latest - ``` + ```bash + go install github.com/oligot/go-mod-upgrade@latest + ``` - Then, run the following: + Then, run the following: - ```bash - go-mod-upgrade - make generate - ``` + ```bash + go-mod-upgrade + make generate + ``` - Finally, create a PR with the changes and merge it. + Finally, create a PR with the changes and merge it. 2. Open the [tests GitHub Actions workflow][tests-workflow] and verify that it succeeds on the master branch. 3. Run govulncheck: + ```bash make verify-govulncheck ``` 4. Create a tag for the new release: + ```sh export VERSION=v1.1.0 git tag --annotate --message="Release ${VERSION}" "${VERSION}" @@ -51,6 +54,7 @@ The release process is semi-automated. 5. Wait until the GitHub Actions finishes. 6. Navigate to the GitHub Releases page and select the draft release to edit. + 1. Click on “Generate release notes” to automatically compile the changelog. 2. Review and refine the generated notes to ensure they’re clear and useful for end users. @@ -59,7 +63,7 @@ The release process is semi-automated. 7. Publish the release. -8. Inform the `#venctl` channel that a new version of Venafi Kubernetes Agent has been +8. Inform the `#venctl` channel that a new version of Discovery Agent has been released. Make sure to share any breaking change that may affect `venctl connect` or `venctl generate`. @@ -73,7 +77,7 @@ The release process is semi-automated. For context, the new tag will create the following images: | Image | Automation | -|-----------------------------------------------------------|----------------------------------------------------------------------------------------------| +| --------------------------------------------------------- | -------------------------------------------------------------------------------------------- | | `quay.io/jetstack/venafi-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | | `quay.io/jetstack/disco-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | | `registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule | @@ -83,7 +87,7 @@ For context, the new tag will create the following images: and the following OCI Helm charts: | Helm Chart | Automation | -|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------| +| -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | | `oci://quay.io/jetstack/charts/venafi-kubernetes-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | | `oci://quay.io/jetstack/charts/disco-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | | `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule | diff --git a/deploy/charts/venafi-kubernetes-agent/Chart.yaml b/deploy/charts/venafi-kubernetes-agent/Chart.yaml index 59294b58..741f0806 100644 --- a/deploy/charts/venafi-kubernetes-agent/Chart.yaml +++ b/deploy/charts/venafi-kubernetes-agent/Chart.yaml @@ -3,7 +3,7 @@ name: venafi-kubernetes-agent type: application description: |- - The Venafi Kubernetes Agent connects your Kubernetes or Openshift cluster to the Venafi Control Plane. + The Discovery Agent connects your Kubernetes or Openshift cluster to the CyberArk Certificate Manager (formerly Venafi Control Plane). maintainers: - name: Venafi diff --git a/deploy/charts/venafi-kubernetes-agent/README.md b/deploy/charts/venafi-kubernetes-agent/README.md index 457bbb05..3adb3ee1 100644 --- a/deploy/charts/venafi-kubernetes-agent/README.md +++ b/deploy/charts/venafi-kubernetes-agent/README.md @@ -1,11 +1,12 @@ # venafi-kubernetes-agent -The Venafi Kubernetes Agent connects your Kubernetes or OpenShift cluster to the Venafi Control Plane. -You will require a Venafi Control Plane account to connect your cluster. +The Discovery Agent connects your Kubernetes or OpenShift cluster to the CyberArk Certificate Manager (formerly Venafi Control Plane). +You will require a CyberArk Certificate Manager account to connect your cluster. If you do not have one, you can sign up for a free trial now at: + - https://venafi.com/try-venafi/tls-protect/ -> 📖 Read the [Venafi Kubernetes Agent documentation](https://docs.venafi.cloud/vaas/k8s-components/c-tlspk-agent-overview/), +> 📖 Read the [Discovery Agent documentation](https://docs.venafi.cloud/vaas/k8s-components/c-tlspk-agent-overview/), > to learn how install and configure this Helm chart. ## Values @@ -104,7 +105,7 @@ default replicas, do not scale up > registry.venafi.cloud/venafi-agent/venafi-agent > ``` -The container image for the Venafi Enhanced Issuer manager. +The container image for the Enterprise Issuer manager. #### **image.pullPolicy** ~ `string` > Default value: > ```yaml @@ -282,7 +283,7 @@ extraArgs: > [] > ``` -Additional volumes to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. For example: +Additional volumes to add to the Discovery Agent container. This is useful for mounting a custom CA bundle. For example: ```yaml volumes: @@ -303,7 +304,7 @@ In order to create the ConfigMap, you can use the following command: > [] > ``` -Additional volume mounts to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. Any PEM certificate mounted under /etc/ssl/certs will be loaded by the Venafi Kubernetes Agent. For +Additional volume mounts to add to the Discovery Agent container. This is useful for mounting a custom CA bundle. Any PEM certificate mounted under /etc/ssl/certs will be loaded by the Discovery Agent. For ```yaml example: @@ -342,8 +343,8 @@ Configure VenafiConnection authentication > false > ``` -When set to true, the Venafi Kubernetes Agent will authenticate to. Venafi using the configuration in a VenafiConnection resource. Use `venafiConnection.enabled=true` for [secretless authentication](https://docs.venafi.cloud/vaas/k8s-components/t-install-tlspk-agent/). When set to true, the `authentication.secret` values will be ignored and the. Secret with `authentication.secretName` will _not_ be mounted into the -Venafi Kubernetes Agent Pod. +When set to true, the Discovery Agent will authenticate to. Venafi using the configuration in a VenafiConnection resource. Use `venafiConnection.enabled=true` for [secretless authentication](https://docs.venafi.cloud/vaas/k8s-components/t-install-tlspk-agent/). When set to true, the `authentication.secret` values will be ignored and the. Secret with `authentication.secretName` will _not_ be mounted into the +Discovery Agent Pod. #### **authentication.venafiConnection.name** ~ `string` > Default value: > ```yaml @@ -364,7 +365,7 @@ The namespace of a VenafiConnection resource which contains the configuration fo > https://api.venafi.cloud/ > ``` -API URL of the Venafi Control Plane API. For EU tenants, set this value to https://api.venafi.eu/. If you are using the VenafiConnection authentication method, you must set the API URL using the field `spec.vcp.url` on the +API URL of the CyberArk Certificate Manager API. For EU tenants, set this value to https://api.venafi.eu/. If you are using the VenafiConnection authentication method, you must set the API URL using the field `spec.vcp.url` on the VenafiConnection resource instead. #### **config.clientId** ~ `string` > Default value: @@ -373,7 +374,7 @@ VenafiConnection resource instead. > ``` The client-id to be used for authenticating with the Venafi Control. Plane. Only useful when using a Key Pair Service Account in the Venafi. Control Plane. You can obtain the cliend ID by creating a Key Pair Service -Account in the Venafi Control Plane. +Account in the CyberArk Certificate Manager. #### **config.period** ~ `string` > Default value: > ```yaml @@ -438,7 +439,7 @@ Control Plane. > [] > ``` -You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane. +You can configure Discovery Agent to exclude some annotations or labels from being pushed to the CyberArk Certificate Manager. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the CyberArk Certificate Manager. Dots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with `\.`. @@ -501,4 +502,4 @@ This option makes it so that the "helm.sh/resource-policy": keep annotation is a When set to false, the rendered output does not contain the. VenafiConnection CRDs and RBAC. This is useful for when the. Venafi Connection resources are already installed separately. - \ No newline at end of file + diff --git a/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml b/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml index 2321284a..c52c4db1 100644 --- a/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml +++ b/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml @@ -13,1381 +13,1436 @@ spec: listKind: VenafiConnectionList plural: venaficonnections shortNames: - - vc + - vc singular: venaficonnection scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: VenafiConnection is the Schema for the VenafiConnection API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - allowReferencesFrom: - description: |- - A namespace selector that specifies what namespaces this VenafiConnection - is allowed to be used from. - If not set/ null, the VenafiConnection can only be used within its namespace. - An empty selector ({}) matches all namespaces. - If set to a non-empty selector, the VenafiConnection can only be used from - namespaces that match the selector. This possibly excludes the namespace - the VenafiConnection is in. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: VenafiConnection is the Schema for the VenafiConnection API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + allowReferencesFrom: + description: |- + A namespace selector that specifies what namespaces this VenafiConnection + is allowed to be used from. + If not set/ null, the VenafiConnection can only be used within its namespace. + An empty selector ({}) matches all namespaces. + If set to a non-empty selector, the VenafiConnection can only be used from + namespaces that match the selector. This possibly excludes the namespace + the VenafiConnection is in. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector applies + to. type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - firefly: - properties: - accessToken: - description: |- - The list of steps to retrieve the Access Token that will be used to connect - to Firefly. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: 'Deprecated: This field does nothing and - will be removed in the future.' - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: ClientID is the clientId used to authenticate - with TPP. - type: string - url: - description: |- - The URL to connect to the Venafi TPP instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - TPP configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: TenantID is the tenant ID used to authenticate - with VCP. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - url: - description: The URL to connect to the Venafi Firefly instance. - type: string - required: - - url - type: object - tpp: - properties: - accessToken: - description: The list of steps to retrieve a TPP access token. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: 'Deprecated: This field does nothing and - will be removed in the future.' - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: ClientID is the clientId used to authenticate - with TPP. - type: string - url: - description: |- - The URL to connect to the Venafi TPP instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - TPP configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: TenantID is the tenant ID used to authenticate - with VCP. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - url: - description: |- - The URL to connect to the Venafi TPP instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out by - venafi-connection-lib. - type: string - required: - - url - type: object - vaas: - description: 'Deprecated: The ''vaas'' field is deprecated use the - field called ''vcp'' instead.' - properties: - accessToken: - description: |- - The list of steps to retrieve the Access Token that will be used to connect - to VCP. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: 'Deprecated: This field does nothing and - will be removed in the future.' - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: ClientID is the clientId used to authenticate - with TPP. - type: string - url: - description: |- - The URL to connect to the Venafi TPP instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - TPP configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: TenantID is the tenant ID used to authenticate - with VCP. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - apiKey: - description: |- - The list of steps to retrieve the API key that will be used to connect to - VCP. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: 'Deprecated: This field does nothing and - will be removed in the future.' - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: ClientID is the clientId used to authenticate - with TPP. - type: string - url: - description: |- - The URL to connect to the Venafi TPP instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - TPP configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: TenantID is the tenant ID used to authenticate - with VCP. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - url: - description: |- - The URL to connect to the Venafi VCP instance. If not set, the default - value https://api.venafi.cloud is used. - type: string - type: object - x-kubernetes-validations: - - message: 'must have exactly ONE of the following fields set: apiKey - or accessToken' - rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : - 0) == 1' - vcp: - properties: - accessToken: - description: |- - The list of steps to retrieve the Access Token that will be used to connect - to VCP. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: 'Deprecated: This field does nothing and - will be removed in the future.' - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: ClientID is the clientId used to authenticate - with TPP. - type: string - url: - description: |- - The URL to connect to the Venafi TPP instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - TPP configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: TenantID is the tenant ID used to authenticate - with VCP. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - apiKey: - description: |- - The list of steps to retrieve the API key that will be used to connect to - VCP. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: 'Deprecated: This field does nothing and - will be removed in the future.' - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: ClientID is the clientId used to authenticate - with TPP. - type: string - url: - description: |- - The URL to connect to the Venafi TPP instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - TPP configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: TenantID is the tenant ID used to authenticate - with VCP. - type: string - type: object + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - url: - description: |- - The URL to connect to the Venafi VCP instance. If not set, the default - value https://api.venafi.cloud is used. - type: string - type: object - x-kubernetes-validations: - - message: 'must have exactly ONE of the following fields set: apiKey - or accessToken' - rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : - 0) == 1' - type: object - x-kubernetes-validations: - - message: 'must have exactly ONE of the following fields set: tpp or - vcp' - rule: '(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp) - ? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1' - status: - properties: - conditions: - description: List of status conditions to indicate the status of a - VenafiConnection. - items: - description: ConnectionCondition contains condition information - for a VenafiConnection. + type: object + x-kubernetes-map-type: atomic + firefly: properties: - lastTransitionTime: + accessToken: description: |- - LastTransitionTime is the timestamp corresponding to the last status - change of this condition. - format: date-time - type: string - lastUpdateTime: - description: lastUpdateTime is the time of the last update to - this condition - format: date-time + The list of steps to retrieve the Access Token that will be used to connect + to CyberArk Workload Identity Manager. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: + "Deprecated: This field does nothing and + will be removed in the future." + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: + ClientID is the clientId used to authenticate + with Control Plane, Self-Hosted. + type: string + url: + description: |- + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + Control Plane, Self-Hosted configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: + TenantID is the tenant ID used to authenticate + with Control Plane, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: + "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: The URL to connect to the Venafi CyberArk Workload Identity Manager instance. type: string - message: + required: + - url + type: object + tpp: + properties: + accessToken: + description: The list of steps to retrieve a Control Plane, Self-Hosted access token. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: + "Deprecated: This field does nothing and + will be removed in the future." + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: + ClientID is the clientId used to authenticate + with Control Plane, Self-Hosted. + type: string + url: + description: |- + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + Control Plane, Self-Hosted configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: + TenantID is the tenant ID used to authenticate + with Control Plane, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: + "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: description: |- - Message is a human readable description of the details of the last - transition, complementing reason. + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out by + venafi-connection-lib. type: string - observedGeneration: + required: + - url + type: object + vaas: + description: + "Deprecated: The 'vaas' field is deprecated use the + field called 'vcp' instead." + properties: + accessToken: description: |- - If set, this represents the .metadata.generation that the condition was - set based upon. - For instance, if .metadata.generation is currently 12, but the - .status.condition[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the Issuer. - format: int64 - type: integer - reason: + The list of steps to retrieve the Access Token that will be used to connect + to Control Plane, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: + "Deprecated: This field does nothing and + will be removed in the future." + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: + ClientID is the clientId used to authenticate + with Control Plane, Self-Hosted. + type: string + url: + description: |- + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + Control Plane, Self-Hosted configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: + TenantID is the tenant ID used to authenticate + with Control Plane, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: + "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: description: |- - Reason is a brief machine readable explanation for the condition's last - transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, - `Unknown`). - type: string - tokenValidUntil: + The list of steps to retrieve the API key that will be used to connect to + Control Plane, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: + "Deprecated: This field does nothing and + will be removed in the future." + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: + ClientID is the clientId used to authenticate + with Control Plane, Self-Hosted. + type: string + url: + description: |- + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + Control Plane, Self-Hosted configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: + TenantID is the tenant ID used to authenticate + with Control Plane, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: + "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: description: |- - The ValidUntil time of the token used to authenticate with the Venafi - Control Plane server. - format: date-time + The URL to connect to the Control Plane, SaaS instance. If not set, the default + value https://api.venafi.cloud is used. type: string - type: + type: object + x-kubernetes-validations: + - message: + "must have exactly ONE of the following fields set: apiKey + or accessToken" + rule: + "(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : + 0) == 1" + vcp: + properties: + accessToken: description: |- - Type of the condition, should be a combination of the unique name of the - operator and the type of condition. - eg. `VenafiEnhancedIssuerReady` + The list of steps to retrieve the Access Token that will be used to connect + to Control Plane, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: + "Deprecated: This field does nothing and + will be removed in the future." + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: + ClientID is the clientId used to authenticate + with Control Plane, Self-Hosted. + type: string + url: + description: |- + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + Control Plane, Self-Hosted configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: + TenantID is the tenant ID used to authenticate + with Control Plane, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: + "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + Control Plane, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: + "Deprecated: This field does nothing and + will be removed in the future." + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: + The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: + ClientID is the clientId used to authenticate + with Control Plane, Self-Hosted. + type: string + url: + description: |- + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + Control Plane, Self-Hosted configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: + TenantID is the tenant ID used to authenticate + with Control Plane, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: + "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Control Plane, SaaS instance. If not set, the default + value https://api.venafi.cloud is used. type: string - required: - - status - - type type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} + x-kubernetes-validations: + - message: + "must have exactly ONE of the following fields set: apiKey + or accessToken" + rule: + "(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : + 0) == 1" + type: object + x-kubernetes-validations: + - message: + "must have exactly ONE of the following fields set: tpp or + vcp" + rule: + "(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp) + ? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1" + status: + properties: + conditions: + description: + List of status conditions to indicate the status of a + VenafiConnection. + items: + description: + ConnectionCondition contains condition information + for a VenafiConnection. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + format: date-time + type: string + lastUpdateTime: + description: + lastUpdateTime is the time of the last update to + this condition + format: date-time + type: string + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + observedGeneration: + description: |- + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Issuer. + format: int64 + type: integer + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: + Status of the condition, one of (`True`, `False`, + `Unknown`). + type: string + tokenValidUntil: + description: |- + The ValidUntil time of the token used to authenticate with the Venafi + Control Plane server. + format: date-time + type: string + type: + description: |- + Type of the condition, should be a combination of the unique name of the + operator and the type of condition. + eg. `VenafiEnhancedIssuerReady` + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml index 7750112e..32c9b07f 100644 --- a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml +++ b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml @@ -104,7 +104,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Firefly. + to CyberArk Workload Identity Manager. items: properties: hashicorpVaultLDAP: @@ -172,8 +172,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -244,29 +244,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -278,7 +278,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -286,7 +286,7 @@ spec: type: array x-kubernetes-list-type: atomic url: - description: The URL to connect to the Venafi Firefly instance. + description: The URL to connect to the Venafi CyberArk Workload Identity Manager instance. type: string required: - url @@ -294,7 +294,7 @@ spec: tpp: properties: accessToken: - description: The list of steps to retrieve a TPP access token. + description: The list of steps to retrieve a Control Plane, Self-Hosted access token. items: properties: hashicorpVaultLDAP: @@ -362,8 +362,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -434,29 +434,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -468,7 +468,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -477,7 +477,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by venafi-connection-lib. @@ -491,7 +491,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to VCP. + to Control Plane, SaaS. items: properties: hashicorpVaultLDAP: @@ -559,8 +559,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -631,29 +631,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -665,7 +665,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -675,7 +675,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - VCP. + Control Plane, SaaS. items: properties: hashicorpVaultLDAP: @@ -743,8 +743,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -815,29 +815,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -849,7 +849,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -858,7 +858,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Venafi VCP instance. If not set, the default + The URL to connect to the Control Plane, SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object @@ -867,7 +867,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to VCP. + to Control Plane, SaaS. items: properties: hashicorpVaultLDAP: @@ -935,8 +935,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1007,29 +1007,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -1041,7 +1041,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -1051,7 +1051,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - VCP. + Control Plane, SaaS. items: properties: hashicorpVaultLDAP: @@ -1119,8 +1119,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1191,29 +1191,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -1225,7 +1225,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -1234,7 +1234,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Venafi VCP instance. If not set, the default + The URL to connect to the Control Plane, SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object diff --git a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml index 9cf8eefe..6fc6ab93 100644 --- a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml +++ b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml @@ -104,7 +104,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Firefly. + to CyberArk Workload Identity Manager. items: properties: hashicorpVaultLDAP: @@ -172,8 +172,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -244,29 +244,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -278,7 +278,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -289,7 +289,7 @@ spec: type: array x-kubernetes-list-type: atomic url: - description: The URL to connect to the Venafi Firefly instance. + description: The URL to connect to the Venafi CyberArk Workload Identity Manager instance. type: string required: - url @@ -297,7 +297,7 @@ spec: tpp: properties: accessToken: - description: The list of steps to retrieve a TPP access token. + description: The list of steps to retrieve a Control Plane, Self-Hosted access token. items: properties: hashicorpVaultLDAP: @@ -365,8 +365,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -437,29 +437,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -471,7 +471,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -483,7 +483,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by venafi-connection-lib. @@ -497,7 +497,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to VCP. + to Control Plane, SaaS. items: properties: hashicorpVaultLDAP: @@ -565,8 +565,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -637,29 +637,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -671,7 +671,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -684,7 +684,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - VCP. + Control Plane, SaaS. items: properties: hashicorpVaultLDAP: @@ -752,8 +752,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -824,29 +824,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -858,7 +858,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -870,7 +870,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Venafi VCP instance. If not set, the default + The URL to connect to the Control Plane, SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object @@ -882,7 +882,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to VCP. + to Control Plane, SaaS. items: properties: hashicorpVaultLDAP: @@ -950,8 +950,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1022,29 +1022,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -1056,7 +1056,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -1069,7 +1069,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - VCP. + Control Plane, SaaS. items: properties: hashicorpVaultLDAP: @@ -1137,8 +1137,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (TPP, username and password): imagining that you have stored - the username and password for TPP under the keys "username" and + Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored + the username and password for Control Plane, Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1209,29 +1209,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a TPP server. This + TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with TPP. The supported values are "UsernamePassword" and "JWT". + with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with TPP. + description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. type: string url: description: |- - The URL to connect to the Venafi TPP instance. The two URLs + The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - TPP configuration. + Control Plane, Self-Hosted configuration. type: string required: - authInputType @@ -1243,7 +1243,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with VCP. + description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. type: string type: object type: object @@ -1255,7 +1255,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Venafi VCP instance. If not set, the default + The URL to connect to the Control Plane, SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object @@ -1333,3 +1333,4 @@ spec: status: {} {{ end }} {{ end }} + \ No newline at end of file diff --git a/deploy/charts/venafi-kubernetes-agent/values.schema.json b/deploy/charts/venafi-kubernetes-agent/values.schema.json index 1301063f..66f50339 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.schema.json +++ b/deploy/charts/venafi-kubernetes-agent/values.schema.json @@ -131,7 +131,7 @@ }, "helm-values.authentication.venafiConnection.enabled": { "default": false, - "description": "When set to true, the Venafi Kubernetes Agent will authenticate to. Venafi using the configuration in a VenafiConnection resource. Use `venafiConnection.enabled=true` for [secretless authentication](https://docs.venafi.cloud/vaas/k8s-components/t-install-tlspk-agent/). When set to true, the `authentication.secret` values will be ignored and the. Secret with `authentication.secretName` will _not_ be mounted into the\nVenafi Kubernetes Agent Pod.", + "description": "When set to true, the Discovery Agent will authenticate to. Venafi using the configuration in a VenafiConnection resource. Use `venafiConnection.enabled=true` for [secretless authentication](https://docs.venafi.cloud/vaas/k8s-components/t-install-tlspk-agent/). When set to true, the `authentication.secret` values will be ignored and the. Secret with `authentication.secretName` will _not_ be mounted into the\nDiscovery Agent Pod.", "type": "boolean" }, "helm-values.authentication.venafiConnection.name": { @@ -185,7 +185,7 @@ }, "helm-values.config.clientId": { "default": "", - "description": "The client-id to be used for authenticating with the Venafi Control. Plane. Only useful when using a Key Pair Service Account in the Venafi. Control Plane. You can obtain the cliend ID by creating a Key Pair Service\nAccount in the Venafi Control Plane.", + "description": "The client-id to be used for authenticating with the Venafi Control. Plane. Only useful when using a Key Pair Service Account in the Venafi. Control Plane. You can obtain the cliend ID by creating a Key Pair Service\nAccount in the CyberArk Certificate Manager.", "type": "string" }, "helm-values.config.clusterDescription": { @@ -214,7 +214,7 @@ "helm-values.config.configmap.name": {}, "helm-values.config.excludeAnnotationKeysRegex": { "default": [], - "description": "You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.\n\nDots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with `\\.`.\n\nExample: excludeAnnotationKeysRegex: ['^kapp\\.k14s\\.io/original.*']", + "description": "You can configure Discovery Agent to exclude some annotations or labels from being pushed to the CyberArk Certificate Manager. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the CyberArk Certificate Manager.\n\nDots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with `\\.`.\n\nExample: excludeAnnotationKeysRegex: ['^kapp\\.k14s\\.io/original.*']", "items": {}, "type": "array" }, @@ -264,7 +264,7 @@ }, "helm-values.config.server": { "default": "https://api.venafi.cloud/", - "description": "API URL of the Venafi Control Plane API. For EU tenants, set this value to https://api.venafi.eu/. If you are using the VenafiConnection authentication method, you must set the API URL using the field `spec.vcp.url` on the\nVenafiConnection resource instead.", + "description": "API URL of the CyberArk Certificate Manager API. For EU tenants, set this value to https://api.venafi.eu/. If you are using the VenafiConnection authentication method, you must set the API URL using the field `spec.vcp.url` on the\nVenafiConnection resource instead.", "type": "string" }, "helm-values.crds": { @@ -350,7 +350,7 @@ }, "helm-values.image.repository": { "default": "registry.venafi.cloud/venafi-agent/venafi-agent", - "description": "The container image for the Venafi Enhanced Issuer manager.", + "description": "The container image for the Enterprise Issuer manager.", "type": "string" }, "helm-values.image.tag": { @@ -583,13 +583,13 @@ }, "helm-values.volumeMounts": { "default": [], - "description": "Additional volume mounts to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. Any PEM certificate mounted under /etc/ssl/certs will be loaded by the Venafi Kubernetes Agent. For\nexample:\n\nvolumeMounts:\n - name: cabundle\n mountPath: /etc/ssl/certs/cabundle\n subPath: cabundle\n readOnly: true", + "description": "Additional volume mounts to add to the Discovery Agent container. This is useful for mounting a custom CA bundle. Any PEM certificate mounted under /etc/ssl/certs will be loaded by the Discovery Agent. For\nexample:\n\nvolumeMounts:\n - name: cabundle\n mountPath: /etc/ssl/certs/cabundle\n subPath: cabundle\n readOnly: true", "items": {}, "type": "array" }, "helm-values.volumes": { "default": [], - "description": "Additional volumes to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. For example:\nvolumes:\n - name: cabundle\n configMap:\n name: cabundle\n optional: false\n defaultMode: 0644\nIn order to create the ConfigMap, you can use the following command:\n\n kubectl create configmap cabundle \\\n --from-file=cabundle=./your/custom/ca/bundle.pem", + "description": "Additional volumes to add to the Discovery Agent container. This is useful for mounting a custom CA bundle. For example:\nvolumes:\n - name: cabundle\n configMap:\n name: cabundle\n optional: false\n defaultMode: 0644\nIn order to create the ConfigMap, you can use the following command:\n\n kubectl create configmap cabundle \\\n --from-file=cabundle=./your/custom/ca/bundle.pem", "items": {}, "type": "array" } diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml index d84a48f6..05dd27c6 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.yaml +++ b/deploy/charts/venafi-kubernetes-agent/values.yaml @@ -51,7 +51,7 @@ metrics: replicaCount: 1 image: - # The container image for the Venafi Enhanced Issuer manager. + # The container image for the Enterprise Issuer manager. repository: registry.venafi.cloud/venafi-agent/venafi-agent # Kubernetes imagePullPolicy on Deployment. @@ -162,7 +162,7 @@ command: [] # - --log-level=6 # To enable HTTP request logging extraArgs: [] -# Additional volumes to add to the Venafi Kubernetes Agent container. This is +# Additional volumes to add to the Discovery Agent container. This is # useful for mounting a custom CA bundle. For example: # # volumes: @@ -178,9 +178,9 @@ extraArgs: [] # --from-file=cabundle=./your/custom/ca/bundle.pem volumes: [] -# Additional volume mounts to add to the Venafi Kubernetes Agent container. +# Additional volume mounts to add to the Discovery Agent container. # This is useful for mounting a custom CA bundle. Any PEM certificate mounted -# under /etc/ssl/certs will be loaded by the Venafi Kubernetes Agent. For +# under /etc/ssl/certs will be loaded by the Discovery Agent. For # example: # # volumeMounts: @@ -190,7 +190,7 @@ volumes: [] # readOnly: true volumeMounts: [] -# Authentication details for the Venafi Kubernetes Agent +# Authentication details for the Discovery Agent authentication: # Name of the secret containing the private key secretName: agent-credentials @@ -200,12 +200,12 @@ authentication: # +docs:section=Venafi Connection # Configure VenafiConnection authentication venafiConnection: - # When set to true, the Venafi Kubernetes Agent will authenticate to + # When set to true, the Discovery Agent will authenticate to # Venafi using the configuration in a VenafiConnection resource. # Use `venafiConnection.enabled=true` for [secretless authentication](https://docs.venafi.cloud/vaas/k8s-components/t-install-tlspk-agent/). # When set to true, the `authentication.secret` values will be ignored and the # Secret with `authentication.secretName` will _not_ be mounted into the - # Venafi Kubernetes Agent Pod. + # Discovery Agent Pod. enabled: false # The name of a VenafiConnection resource which contains the configuration # for authenticating to Venafi. @@ -214,9 +214,9 @@ authentication: # configuration for authenticating to Venafi. namespace: venafi -# Configuration section for the Venafi Kubernetes Agent itself +# Configuration section for the Discovery Agent itself config: - # API URL of the Venafi Control Plane API. For EU tenants, set this value to + # API URL of the CyberArk Certificate Manager API. For EU tenants, set this value to # https://api.venafi.eu/. If you are using the VenafiConnection authentication # method, you must set the API URL using the field `spec.vcp.url` on the # VenafiConnection resource instead. @@ -224,7 +224,7 @@ config: # The client-id to be used for authenticating with the Venafi Control # Plane. Only useful when using a Key Pair Service Account in the Venafi # Control Plane. You can obtain the cliend ID by creating a Key Pair Service - # Account in the Venafi Control Plane. + # Account in the CyberArk Certificate Manager. clientId: "" # Send data back to the platform every minute unless changed. period: "0h1m0s" @@ -251,10 +251,10 @@ config: - bootstrap.kubernetes.io/token - helm.sh/release.v1 - # You can configure Venafi Kubernetes Agent to exclude some annotations or - # labels from being pushed to the Venafi Control Plane. All Kubernetes objects + # You can configure Discovery Agent to exclude some annotations or + # labels from being pushed to the CyberArk Certificate Manager. All Kubernetes objects # are affected. The objects are still pushed, but the specified annotations - # and labels are removed before being sent to the Venafi Control Plane. + # and labels are removed before being sent to the CyberArk Certificate Manager. # # Dots is the only character that needs to be escaped in the regex. Use either # double quotes with escaped single quotes or unquoted strings for the regex diff --git a/pkg/client/client_venafi_cloud.go b/pkg/client/client_venafi_cloud.go index d2b3b059..d2ab512d 100644 --- a/pkg/client/client_venafi_cloud.go +++ b/pkg/client/client_venafi_cloud.go @@ -308,7 +308,7 @@ func (c *VenafiCloudClient) sendHTTPRequest(request *http.Request, responseObjec if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusCreated { body, _ := io.ReadAll(response.Body) - return fmt.Errorf("failed to execute http request to Venafi Control Plane. Request %s, status code: %d, body: [%s]", request.URL, response.StatusCode, body) + return fmt.Errorf("failed to execute http request to Control Plane. Request %s, status code: %d, body: [%s]", request.URL, response.StatusCode, body) } body, err := io.ReadAll(response.Body) From dd12f5ce32496c122c3038244aaf9734dfe4a961 Mon Sep 17 00:00:00 2001 From: Iossif Benbassat Date: Mon, 27 Oct 2025 15:43:51 +0200 Subject: [PATCH 03/11] fix: rename to certificate manager --- .../jetstack.io_venaficonnections.yaml | 112 +++++++++--------- ...fi-connection-crd.without-validations.yaml | 112 +++++++++--------- .../templates/venafi-connection-crd.yaml | 112 +++++++++--------- 3 files changed, 168 insertions(+), 168 deletions(-) diff --git a/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml b/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml index c52c4db1..cf19a412 100644 --- a/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml +++ b/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml @@ -175,8 +175,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -249,14 +249,14 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT @@ -264,16 +264,16 @@ spec: clientId: description: ClientID is the clientId used to authenticate - with Control Plane, Self-Hosted. + with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -287,7 +287,7 @@ spec: tenantID: description: TenantID is the tenant ID used to authenticate - with Control Plane, SaaS. + with Certificate Manager SaaS. type: string type: object type: object @@ -310,7 +310,7 @@ spec: tpp: properties: accessToken: - description: The list of steps to retrieve a Control Plane, Self-Hosted access token. + description: The list of steps to retrieve a Certificate Manager Self-Hosted access token. items: properties: hashicorpVaultLDAP: @@ -384,8 +384,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -458,14 +458,14 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT @@ -473,16 +473,16 @@ spec: clientId: description: ClientID is the clientId used to authenticate - with Control Plane, Self-Hosted. + with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -496,7 +496,7 @@ spec: tenantID: description: TenantID is the tenant ID used to authenticate - with Control Plane, SaaS. + with Certificate Manager SaaS. type: string type: object type: object @@ -512,7 +512,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by venafi-connection-lib. @@ -528,7 +528,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Control Plane, SaaS. + to Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -602,8 +602,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -676,14 +676,14 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT @@ -691,16 +691,16 @@ spec: clientId: description: ClientID is the clientId used to authenticate - with Control Plane, Self-Hosted. + with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -714,7 +714,7 @@ spec: tenantID: description: TenantID is the tenant ID used to authenticate - with Control Plane, SaaS. + with Certificate Manager SaaS. type: string type: object type: object @@ -731,7 +731,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - Control Plane, SaaS. + Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -805,8 +805,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -879,14 +879,14 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT @@ -894,16 +894,16 @@ spec: clientId: description: ClientID is the clientId used to authenticate - with Control Plane, Self-Hosted. + with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -917,7 +917,7 @@ spec: tenantID: description: TenantID is the tenant ID used to authenticate - with Control Plane, SaaS. + with Certificate Manager SaaS. type: string type: object type: object @@ -933,7 +933,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Control Plane, SaaS instance. If not set, the default + The URL to connect to the Certificate Manager SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object @@ -949,7 +949,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Control Plane, SaaS. + to Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -1023,8 +1023,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1097,14 +1097,14 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT @@ -1112,16 +1112,16 @@ spec: clientId: description: ClientID is the clientId used to authenticate - with Control Plane, Self-Hosted. + with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -1135,7 +1135,7 @@ spec: tenantID: description: TenantID is the tenant ID used to authenticate - with Control Plane, SaaS. + with Certificate Manager SaaS. type: string type: object type: object @@ -1152,7 +1152,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - Control Plane, SaaS. + Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -1226,8 +1226,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1300,14 +1300,14 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT @@ -1315,16 +1315,16 @@ spec: clientId: description: ClientID is the clientId used to authenticate - with Control Plane, Self-Hosted. + with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -1338,7 +1338,7 @@ spec: tenantID: description: TenantID is the tenant ID used to authenticate - with Control Plane, SaaS. + with Certificate Manager SaaS. type: string type: object type: object @@ -1354,7 +1354,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Control Plane, SaaS instance. If not set, the default + The URL to connect to the Certificate Manager SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object diff --git a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml index 32c9b07f..53c5daaa 100644 --- a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml +++ b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml @@ -172,8 +172,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -244,29 +244,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -278,7 +278,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -294,7 +294,7 @@ spec: tpp: properties: accessToken: - description: The list of steps to retrieve a Control Plane, Self-Hosted access token. + description: The list of steps to retrieve a Certificate Manager Self-Hosted access token. items: properties: hashicorpVaultLDAP: @@ -362,8 +362,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -434,29 +434,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -468,7 +468,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -477,7 +477,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by venafi-connection-lib. @@ -491,7 +491,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Control Plane, SaaS. + to Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -559,8 +559,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -631,29 +631,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -665,7 +665,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -675,7 +675,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - Control Plane, SaaS. + Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -743,8 +743,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -815,29 +815,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -849,7 +849,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -858,7 +858,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Control Plane, SaaS instance. If not set, the default + The URL to connect to the Certificate Manager SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object @@ -867,7 +867,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Control Plane, SaaS. + to Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -935,8 +935,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1007,29 +1007,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -1041,7 +1041,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -1051,7 +1051,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - Control Plane, SaaS. + Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -1119,8 +1119,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1191,29 +1191,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -1225,7 +1225,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -1234,7 +1234,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Control Plane, SaaS instance. If not set, the default + The URL to connect to the Certificate Manager SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object diff --git a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml index 6fc6ab93..01c93fd8 100644 --- a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml +++ b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml @@ -172,8 +172,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -244,29 +244,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -278,7 +278,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -297,7 +297,7 @@ spec: tpp: properties: accessToken: - description: The list of steps to retrieve a Control Plane, Self-Hosted access token. + description: The list of steps to retrieve a Certificate Manager Self-Hosted access token. items: properties: hashicorpVaultLDAP: @@ -365,8 +365,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -437,29 +437,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -471,7 +471,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -483,7 +483,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by venafi-connection-lib. @@ -497,7 +497,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Control Plane, SaaS. + to Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -565,8 +565,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -637,29 +637,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -671,7 +671,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -684,7 +684,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - Control Plane, SaaS. + Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -752,8 +752,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -824,29 +824,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -858,7 +858,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -870,7 +870,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Control Plane, SaaS instance. If not set, the default + The URL to connect to the Certificate Manager SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object @@ -882,7 +882,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Control Plane, SaaS. + to Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -950,8 +950,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1022,29 +1022,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -1056,7 +1056,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -1069,7 +1069,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - Control Plane, SaaS. + Certificate Manager SaaS. items: properties: hashicorpVaultLDAP: @@ -1137,8 +1137,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Control Plane, Self-Hosted, username and password): imagining that you have stored - the username and password for Control Plane, Self-Hosted under the keys "username" and + Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored + the username and password for Certificate Manager Self-Hosted under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1209,29 +1209,29 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Control Plane, Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Control Plane, Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Control Plane, Self-Hosted. + description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. type: string url: description: |- - The URL to connect to the CyberArk Control Plane, Self-Hosted instance. The two URLs + The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Control Plane, Self-Hosted configuration. + Certificate Manager Self-Hosted configuration. type: string required: - authInputType @@ -1243,7 +1243,7 @@ spec: that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Control Plane, SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. type: string type: object type: object @@ -1255,7 +1255,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Control Plane, SaaS instance. If not set, the default + The URL to connect to the Certificate Manager SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object From b5836225ddde1ebf3819f21fffac0739fcf2b559 Mon Sep 17 00:00:00 2001 From: Iossif Benbassat Date: Wed, 29 Oct 2025 13:01:15 +0200 Subject: [PATCH 04/11] fix: generate venafi-connection-crd --- .../templates/venafi-connection-crd.yaml | 39 +++++++++---------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml index 01c93fd8..c09e9322 100644 --- a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml +++ b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml @@ -146,7 +146,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: 'Deprecated: This field does nothing and will be removed in the future.' + description: "Deprecated: This field does nothing and will be removed in the future." type: string role: description: |- @@ -284,7 +284,7 @@ spec: type: object x-kubernetes-validations: - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" maxItems: 50 type: array x-kubernetes-list-type: atomic @@ -339,7 +339,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: 'Deprecated: This field does nothing and will be removed in the future.' + description: "Deprecated: This field does nothing and will be removed in the future." type: string role: description: |- @@ -477,7 +477,7 @@ spec: type: object x-kubernetes-validations: - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" maxItems: 50 type: array x-kubernetes-list-type: atomic @@ -492,7 +492,7 @@ spec: - url type: object vaas: - description: 'Deprecated: The ''vaas'' field is deprecated use the field called ''vcp'' instead.' + description: "Deprecated: The 'vaas' field is deprecated use the field called 'vcp' instead." properties: accessToken: description: |- @@ -539,7 +539,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: 'Deprecated: This field does nothing and will be removed in the future.' + description: "Deprecated: This field does nothing and will be removed in the future." type: string role: description: |- @@ -677,7 +677,7 @@ spec: type: object x-kubernetes-validations: - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" maxItems: 50 type: array x-kubernetes-list-type: atomic @@ -726,7 +726,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: 'Deprecated: This field does nothing and will be removed in the future.' + description: "Deprecated: This field does nothing and will be removed in the future." type: string role: description: |- @@ -864,7 +864,7 @@ spec: type: object x-kubernetes-validations: - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" maxItems: 50 type: array x-kubernetes-list-type: atomic @@ -875,8 +875,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: 'must have exactly ONE of the following fields set: apiKey or accessToken' - rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : 0) == 1' + - message: "must have exactly ONE of the following fields set: apiKey or accessToken" + rule: "(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : 0) == 1" vcp: properties: accessToken: @@ -924,7 +924,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: 'Deprecated: This field does nothing and will be removed in the future.' + description: "Deprecated: This field does nothing and will be removed in the future." type: string role: description: |- @@ -1062,7 +1062,7 @@ spec: type: object x-kubernetes-validations: - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" maxItems: 50 type: array x-kubernetes-list-type: atomic @@ -1111,7 +1111,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: 'Deprecated: This field does nothing and will be removed in the future.' + description: "Deprecated: This field does nothing and will be removed in the future." type: string role: description: |- @@ -1249,7 +1249,7 @@ spec: type: object x-kubernetes-validations: - message: must have exactly one field set - rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" maxItems: 50 type: array x-kubernetes-list-type: atomic @@ -1260,12 +1260,12 @@ spec: type: string type: object x-kubernetes-validations: - - message: 'must have exactly ONE of the following fields set: apiKey or accessToken' - rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : 0) == 1' + - message: "must have exactly ONE of the following fields set: apiKey or accessToken" + rule: "(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : 0) == 1" type: object x-kubernetes-validations: - - message: 'must have exactly ONE of the following fields set: tpp or vcp' - rule: '(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp) ? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1' + - message: "must have exactly ONE of the following fields set: tpp or vcp" + rule: "(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp) ? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1" status: properties: conditions: @@ -1333,4 +1333,3 @@ spec: status: {} {{ end }} {{ end }} - \ No newline at end of file From 9bb49a22ee862cf76ca7c5c9cb13e6fd224f808c Mon Sep 17 00:00:00 2001 From: iossifbenbassat123 Date: Wed, 29 Oct 2025 13:01:51 +0200 Subject: [PATCH 05/11] Update deploy/charts/venafi-kubernetes-agent/Chart.yaml Co-authored-by: Atanas Chuchev --- deploy/charts/venafi-kubernetes-agent/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/venafi-kubernetes-agent/Chart.yaml b/deploy/charts/venafi-kubernetes-agent/Chart.yaml index 741f0806..45efd93a 100644 --- a/deploy/charts/venafi-kubernetes-agent/Chart.yaml +++ b/deploy/charts/venafi-kubernetes-agent/Chart.yaml @@ -3,7 +3,7 @@ name: venafi-kubernetes-agent type: application description: |- - The Discovery Agent connects your Kubernetes or Openshift cluster to the CyberArk Certificate Manager (formerly Venafi Control Plane). + The Discovery Agent connects your Kubernetes or OpenShift cluster to the CyberArk Certificate Manager. maintainers: - name: Venafi From 3913a30e31ec472948d64381dfe27288530595e1 Mon Sep 17 00:00:00 2001 From: iossifbenbassat123 Date: Wed, 29 Oct 2025 13:02:01 +0200 Subject: [PATCH 06/11] Update pkg/client/client_venafi_cloud.go Co-authored-by: Atanas Chuchev --- pkg/client/client_venafi_cloud.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/client/client_venafi_cloud.go b/pkg/client/client_venafi_cloud.go index d2ab512d..7e4a30d8 100644 --- a/pkg/client/client_venafi_cloud.go +++ b/pkg/client/client_venafi_cloud.go @@ -308,7 +308,7 @@ func (c *VenafiCloudClient) sendHTTPRequest(request *http.Request, responseObjec if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusCreated { body, _ := io.ReadAll(response.Body) - return fmt.Errorf("failed to execute http request to Control Plane. Request %s, status code: %d, body: [%s]", request.URL, response.StatusCode, body) + return fmt.Errorf("failed to execute http request to the Control Plane. Request %s, status code: %d, body: [%s]", request.URL, response.StatusCode, body) } body, err := io.ReadAll(response.Body) From 0e77fc1e73e038f1363ac5073134b30d4019fcc2 Mon Sep 17 00:00:00 2001 From: iossifbenbassat123 Date: Wed, 29 Oct 2025 13:02:06 +0200 Subject: [PATCH 07/11] Update deploy/charts/venafi-kubernetes-agent/values.yaml Co-authored-by: Atanas Chuchev --- deploy/charts/venafi-kubernetes-agent/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml index 05dd27c6..a94893c7 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.yaml +++ b/deploy/charts/venafi-kubernetes-agent/values.yaml @@ -51,7 +51,7 @@ metrics: replicaCount: 1 image: - # The container image for the Enterprise Issuer manager. + # The container image for the Enterprise Issuer. repository: registry.venafi.cloud/venafi-agent/venafi-agent # Kubernetes imagePullPolicy on Deployment. From 5e32ba0adfadc31d1fe74af3fba51845dc5947e1 Mon Sep 17 00:00:00 2001 From: Iossif Benbassat Date: Wed, 29 Oct 2025 13:17:58 +0200 Subject: [PATCH 08/11] fix: generate crds --- .../jetstack.io_venaficonnections.yaml | 2780 ++++++++--------- ...fi-connection-crd.without-validations.yaml | 144 +- .../templates/venafi-connection-crd.yaml | 182 +- go.mod | 5 +- go.sum | 8 +- 5 files changed, 1533 insertions(+), 1586 deletions(-) diff --git a/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml b/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml index cf19a412..962e44fb 100644 --- a/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml +++ b/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.19.0 name: venaficonnections.jetstack.io spec: group: jetstack.io @@ -13,1436 +13,1382 @@ spec: listKind: VenafiConnectionList plural: venaficonnections shortNames: - - vc + - vc singular: venaficonnection scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: VenafiConnection is the Schema for the VenafiConnection API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - allowReferencesFrom: - description: |- - A namespace selector that specifies what namespaces this VenafiConnection - is allowed to be used from. - If not set/ null, the VenafiConnection can only be used within its namespace. - An empty selector ({}) matches all namespaces. - If set to a non-empty selector, the VenafiConnection can only be used from - namespaces that match the selector. This possibly excludes the namespace - the VenafiConnection is in. - properties: - matchExpressions: - description: - matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: - key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string + - name: v1alpha1 + schema: + openAPIV3Schema: + description: VenafiConnection is the Schema for the VenafiConnection API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + allowReferencesFrom: + description: |- + A namespace selector that specifies what namespaces this VenafiConnection + is allowed to be used from. + If not set/ null, the VenafiConnection can only be used within its namespace. + An empty selector ({}) matches all namespaces. + If set to a non-empty selector, the VenafiConnection can only be used from + namespaces that match the selector. This possibly excludes the namespace + the VenafiConnection is in. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - firefly: - properties: - accessToken: - description: |- - The list of steps to retrieve the Access Token that will be used to connect - to CyberArk Workload Identity Manager. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: - "Deprecated: This field does nothing and - will be removed in the future." - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: - ClientID is the clientId used to authenticate - with Certificate Manager Self-Hosted. - type: string - url: - description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: - TenantID is the tenant ID used to authenticate - with Certificate Manager SaaS. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: - "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - url: - description: The URL to connect to the Venafi CyberArk Workload Identity Manager instance. + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: type: string - required: - - url - type: object - tpp: - properties: - accessToken: - description: The list of steps to retrieve a Certificate Manager Self-Hosted access token. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: - "Deprecated: This field does nothing and - will be removed in the future." - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + firefly: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to Firefly. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'Deprecated: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: - ClientID is the clientId used to authenticate - with Certificate Manager Self-Hosted. - type: string - url: - description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: - TenantID is the tenant ID used to authenticate - with Certificate Manager SaaS. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: - "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - url: + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: The URL to connect to the Workload Identity Manager + instance. + type: string + required: + - url + type: object + tpp: + properties: + accessToken: + description: The list of steps to retrieve a TPP access token. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'Deprecated: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out by + venafi-connection-lib. + type: string + required: + - url + type: object + vaas: + description: 'Deprecated: The ''vaas'' field is deprecated use the + field called ''vcp'' instead.' + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'Deprecated: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'Deprecated: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + x-kubernetes-validations: + - message: 'must have exactly ONE of the following fields set: apiKey + or accessToken' + rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : + 0) == 1' + vcp: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'Deprecated: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'Deprecated: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + x-kubernetes-validations: + - message: 'must have exactly ONE of the following fields set: apiKey + or accessToken' + rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : + 0) == 1' + type: object + x-kubernetes-validations: + - message: 'must have exactly ONE of the following fields set: tpp or + vcp' + rule: '(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp) + ? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1' + status: + properties: + conditions: + description: List of status conditions to indicate the status of a + VenafiConnection. + items: + description: ConnectionCondition contains condition information + for a VenafiConnection. + properties: + lastTransitionTime: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out by - venafi-connection-lib. + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + format: date-time type: string - required: - - url - type: object - vaas: - description: - "Deprecated: The 'vaas' field is deprecated use the - field called 'vcp' instead." - properties: - accessToken: + lastUpdateTime: + description: lastUpdateTime is the time of the last update to + this condition + format: date-time + type: string + message: description: |- - The list of steps to retrieve the Access Token that will be used to connect - to Certificate Manager SaaS. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: - "Deprecated: This field does nothing and - will be removed in the future." - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: - ClientID is the clientId used to authenticate - with Certificate Manager Self-Hosted. - type: string - url: - description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: - TenantID is the tenant ID used to authenticate - with Certificate Manager SaaS. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: - "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - apiKey: + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + observedGeneration: description: |- - The list of steps to retrieve the API key that will be used to connect to - Certificate Manager SaaS. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: - "Deprecated: This field does nothing and - will be removed in the future." - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: - ClientID is the clientId used to authenticate - with Certificate Manager Self-Hosted. - type: string - url: - description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: - TenantID is the tenant ID used to authenticate - with Certificate Manager SaaS. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: - "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - url: + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Issuer. + format: int64 + type: integer + reason: description: |- - The URL to connect to the Certificate Manager SaaS instance. If not set, the default - value https://api.venafi.cloud is used. + Reason is a brief machine readable explanation for the condition's last + transition. type: string - type: object - x-kubernetes-validations: - - message: - "must have exactly ONE of the following fields set: apiKey - or accessToken" - rule: - "(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : - 0) == 1" - vcp: - properties: - accessToken: - description: |- - The list of steps to retrieve the Access Token that will be used to connect - to Certificate Manager SaaS. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: - "Deprecated: This field does nothing and - will be removed in the future." - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: - ClientID is the clientId used to authenticate - with Certificate Manager Self-Hosted. - type: string - url: - description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: - TenantID is the tenant ID used to authenticate - with Certificate Manager SaaS. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: - "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - apiKey: + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + type: string + tokenValidUntil: description: |- - The list of steps to retrieve the API key that will be used to connect to - Certificate Manager SaaS. - items: - properties: - hashicorpVaultLDAP: - description: |- - HashicorpVaultLDAP is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - ldapPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/ldap/static-cred/:role_name - or - /v1/ldap/creds/:role_name - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - ldapPath - type: object - hashicorpVaultOAuth: - description: |- - HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource - step to provide an OAuth token, which this step uses to authenticate to - Vault. The output of this step is a Vault token. This step allows you to use - the step `HashicorpVaultSecret` afterwards. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with HashiCorp Vault. The only supported value is "OIDC". - enum: - - OIDC - type: string - authPath: - description: |- - The login URL used for obtaining the Vault token. Example: - /v1/auth/oidc/login - type: string - clientId: - description: - "Deprecated: This field does nothing and - will be removed in the future." - type: string - role: - description: |- - The role defined in Vault that we want to use when authenticating to - Vault. - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - authInputType - - authPath - - role - type: object - hashicorpVaultSecret: - description: |- - HashicorpVaultSecret is a SecretSource step that requires a Vault token in - the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It - then fetches the requested secrets from Vault for use in the next step. - properties: - fields: - description: |- - The fields are Vault keys pointing to the secrets passed to the next - SecretSource step. - - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and - "password", you will want to set this field to `["username", - "password"]`. The username is expected to be given first, the password - second. - items: - type: string - type: array - secretPath: - description: |- - The full HTTP path to the secret in Vault. Example: - /v1/secret/data/application-team-a/tpp-username-password - type: string - url: - description: - The URL to connect to your HashiCorp Vault - instance. - type: string - required: - - fields - - secretPath - type: object - secret: - description: |- - Secret is a SecretSource step meant to be the first step. It retrieves secret - values from a Kubernetes Secret, and passes them to the next step. - properties: - fields: - description: |- - The names of the fields we want to extract from the Kubernetes secret. - These fields are passed to the next step in the chain. - items: - type: string - type: array - name: - description: The name of the Kubernetes secret. - type: string - required: - - fields - - name - type: object - serviceAccountToken: - description: |- - ServiceAccountToken is a SecretSource step meant to be the first step. It - uses the Kubernetes TokenRequest API to retrieve a token for a given service - account, and passes it to the next step. - properties: - audiences: - description: |- - Audiences are the intendend audiences of the token. A recipient of a - token must identify themself with an identifier in the list of - audiences of the token, and otherwise should reject the token. A - token issued for multiple audiences may be used to authenticate - against any of the audiences listed but implies a high degree of - trust between the target audiences. - items: - type: string - type: array - expirationSeconds: - description: |- - ExpirationSeconds is the requested duration of validity of the request. The - token issuer may return a token with a different validity duration so a - client needs to check the 'expiration' field in a response. - format: int64 - type: integer - name: - description: The name of the Kubernetes service account. - type: string - required: - - audiences - - name - type: object - tppOAuth: - description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This - step is meant to be the last step and requires a prior step that depends - on the `authInputType`. - properties: - authInputType: - description: |- - AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". - enum: - - UsernamePassword - - JWT - type: string - clientId: - description: - ClientID is the clientId used to authenticate - with Certificate Manager Self-Hosted. - type: string - url: - description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs - https://tpp.example.com and https://tpp.example.com/vedsdk are - equivalent. The ending `/vedsdk` is optional and is stripped out - by our client. - If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. - type: string - required: - - authInputType - type: object - vcpOAuth: - description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step - that outputs a JWT token. - properties: - tenantID: - description: - TenantID is the tenant ID used to authenticate - with Certificate Manager SaaS. - type: string - type: object - type: object - x-kubernetes-validations: - - message: must have exactly one field set - rule: - "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) - ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) - ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) - ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" - maxItems: 50 - type: array - x-kubernetes-list-type: atomic - url: + The ValidUntil time of the token used to authenticate with the + Certificate Manager, SaaS. + format: date-time + type: string + type: description: |- - The URL to connect to the Certificate Manager SaaS instance. If not set, the default - value https://api.venafi.cloud is used. + Type of the condition, should be a combination of the unique name of the + operator and the type of condition. + eg. `VenafiEnhancedIssuerReady` type: string + required: + - status + - type type: object - x-kubernetes-validations: - - message: - "must have exactly ONE of the following fields set: apiKey - or accessToken" - rule: - "(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : - 0) == 1" - type: object - x-kubernetes-validations: - - message: - "must have exactly ONE of the following fields set: tpp or - vcp" - rule: - "(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp) - ? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1" - status: - properties: - conditions: - description: - List of status conditions to indicate the status of a - VenafiConnection. - items: - description: - ConnectionCondition contains condition information - for a VenafiConnection. - properties: - lastTransitionTime: - description: |- - LastTransitionTime is the timestamp corresponding to the last status - change of this condition. - format: date-time - type: string - lastUpdateTime: - description: - lastUpdateTime is the time of the last update to - this condition - format: date-time - type: string - message: - description: |- - Message is a human readable description of the details of the last - transition, complementing reason. - type: string - observedGeneration: - description: |- - If set, this represents the .metadata.generation that the condition was - set based upon. - For instance, if .metadata.generation is currently 12, but the - .status.condition[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the Issuer. - format: int64 - type: integer - reason: - description: |- - Reason is a brief machine readable explanation for the condition's last - transition. - type: string - status: - description: - Status of the condition, one of (`True`, `False`, - `Unknown`). - type: string - tokenValidUntil: - description: |- - The ValidUntil time of the token used to authenticate with the Venafi - Control Plane server. - format: date-time - type: string - type: - description: |- - Type of the condition, should be a combination of the unique name of the - operator and the type of condition. - eg. `VenafiEnhancedIssuerReady` - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml index 53c5daaa..b04312ef 100644 --- a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml +++ b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml @@ -104,7 +104,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to CyberArk Workload Identity Manager. + to Firefly. items: properties: hashicorpVaultLDAP: @@ -172,8 +172,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -244,41 +244,41 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object @@ -286,7 +286,7 @@ spec: type: array x-kubernetes-list-type: atomic url: - description: The URL to connect to the Venafi CyberArk Workload Identity Manager instance. + description: The URL to connect to the Workload Identity Manager instance. type: string required: - url @@ -294,7 +294,7 @@ spec: tpp: properties: accessToken: - description: The list of steps to retrieve a Certificate Manager Self-Hosted access token. + description: The list of steps to retrieve a TPP access token. items: properties: hashicorpVaultLDAP: @@ -362,8 +362,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -434,41 +434,41 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object @@ -477,7 +477,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by venafi-connection-lib. @@ -491,7 +491,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Certificate Manager SaaS. + to Certificate Manager, SaaS. items: properties: hashicorpVaultLDAP: @@ -559,8 +559,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -631,41 +631,41 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object @@ -675,7 +675,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - Certificate Manager SaaS. + Certificate Manager, SaaS. items: properties: hashicorpVaultLDAP: @@ -743,8 +743,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -815,41 +815,41 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object @@ -858,7 +858,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Certificate Manager SaaS instance. If not set, the default + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object @@ -867,7 +867,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Certificate Manager SaaS. + to Certificate Manager, SaaS. items: properties: hashicorpVaultLDAP: @@ -935,8 +935,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1007,41 +1007,41 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object @@ -1051,7 +1051,7 @@ spec: apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - Certificate Manager SaaS. + Certificate Manager, SaaS. items: properties: hashicorpVaultLDAP: @@ -1119,8 +1119,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1191,41 +1191,41 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object @@ -1234,7 +1234,7 @@ spec: x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Certificate Manager SaaS instance. If not set, the default + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object @@ -1280,8 +1280,8 @@ spec: type: string tokenValidUntil: description: |- - The ValidUntil time of the token used to authenticate with the Venafi - Control Plane server. + The ValidUntil time of the token used to authenticate with the + Certificate Manager, SaaS. format: date-time type: string type: diff --git a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml index c09e9322..74647373 100644 --- a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml +++ b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml @@ -104,7 +104,7 @@ spec: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to CyberArk Workload Identity Manager. + to Firefly. items: properties: hashicorpVaultLDAP: @@ -146,7 +146,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: "Deprecated: This field does nothing and will be removed in the future." + description: 'Deprecated: This field does nothing and will be removed in the future.' type: string role: description: |- @@ -172,8 +172,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -244,52 +244,52 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object x-kubernetes-validations: - message: must have exactly one field set - rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' maxItems: 50 type: array x-kubernetes-list-type: atomic url: - description: The URL to connect to the Venafi CyberArk Workload Identity Manager instance. + description: The URL to connect to the Workload Identity Manager instance. type: string required: - url @@ -297,7 +297,7 @@ spec: tpp: properties: accessToken: - description: The list of steps to retrieve a Certificate Manager Self-Hosted access token. + description: The list of steps to retrieve a TPP access token. items: properties: hashicorpVaultLDAP: @@ -339,7 +339,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: "Deprecated: This field does nothing and will be removed in the future." + description: 'Deprecated: This field does nothing and will be removed in the future.' type: string role: description: |- @@ -365,8 +365,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -437,53 +437,53 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object x-kubernetes-validations: - message: must have exactly one field set - rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' maxItems: 50 type: array x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by venafi-connection-lib. @@ -492,12 +492,12 @@ spec: - url type: object vaas: - description: "Deprecated: The 'vaas' field is deprecated use the field called 'vcp' instead." + description: 'Deprecated: The ''vaas'' field is deprecated use the field called ''vcp'' instead.' properties: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Certificate Manager SaaS. + to Certificate Manager, SaaS. items: properties: hashicorpVaultLDAP: @@ -539,7 +539,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: "Deprecated: This field does nothing and will be removed in the future." + description: 'Deprecated: This field does nothing and will be removed in the future.' type: string role: description: |- @@ -565,8 +565,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -637,54 +637,54 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object x-kubernetes-validations: - message: must have exactly one field set - rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' maxItems: 50 type: array x-kubernetes-list-type: atomic apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - Certificate Manager SaaS. + Certificate Manager, SaaS. items: properties: hashicorpVaultLDAP: @@ -726,7 +726,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: "Deprecated: This field does nothing and will be removed in the future." + description: 'Deprecated: This field does nothing and will be removed in the future.' type: string role: description: |- @@ -752,8 +752,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -824,65 +824,65 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object x-kubernetes-validations: - message: must have exactly one field set - rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' maxItems: 50 type: array x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Certificate Manager SaaS instance. If not set, the default + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object x-kubernetes-validations: - - message: "must have exactly ONE of the following fields set: apiKey or accessToken" - rule: "(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : 0) == 1" + - message: 'must have exactly ONE of the following fields set: apiKey or accessToken' + rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : 0) == 1' vcp: properties: accessToken: description: |- The list of steps to retrieve the Access Token that will be used to connect - to Certificate Manager SaaS. + to Certificate Manager, SaaS. items: properties: hashicorpVaultLDAP: @@ -924,7 +924,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: "Deprecated: This field does nothing and will be removed in the future." + description: 'Deprecated: This field does nothing and will be removed in the future.' type: string role: description: |- @@ -950,8 +950,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1022,54 +1022,54 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object x-kubernetes-validations: - message: must have exactly one field set - rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' maxItems: 50 type: array x-kubernetes-list-type: atomic apiKey: description: |- The list of steps to retrieve the API key that will be used to connect to - Certificate Manager SaaS. + Certificate Manager, SaaS. items: properties: hashicorpVaultLDAP: @@ -1111,7 +1111,7 @@ spec: /v1/auth/oidc/login type: string clientId: - description: "Deprecated: This field does nothing and will be removed in the future." + description: 'Deprecated: This field does nothing and will be removed in the future.' type: string role: description: |- @@ -1137,8 +1137,8 @@ spec: The fields are Vault keys pointing to the secrets passed to the next SecretSource step. - Example 1 (Certificate Manager Self-Hosted, username and password): imagining that you have stored - the username and password for Certificate Manager Self-Hosted under the keys "username" and + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and "password", you will want to set this field to `["username", "password"]`. The username is expected to be given first, the password second. @@ -1209,63 +1209,63 @@ spec: type: object tppOAuth: description: |- - TPPOAuth is a SecretSource step that authenticates to a Certificate Manager Self-Hosted server (formerly TPP). This + TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the `authInputType`. properties: authInputType: description: |- AuthInputType is the authentication method to be used to authenticate - with Certificate Manager Self-Hosted. The supported values are "UsernamePassword" and "JWT". + with TPP. The supported values are "UsernamePassword" and "JWT". enum: - UsernamePassword - JWT type: string clientId: - description: ClientID is the clientId used to authenticate with Certificate Manager Self-Hosted. + description: ClientID is the clientId used to authenticate with TPP. type: string url: description: |- - The URL to connect to the CyberArk Certificate Manager Self-Hosted instance. The two URLs + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending `/vedsdk` is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the - Certificate Manager Self-Hosted configuration. + TPP configuration. type: string required: - authInputType type: object vcpOAuth: description: |- - VCPOAuth is a SecretSource step that authenticates to the Venafi Control - Plane. This step is meant to be the last step and requires a prior step + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. properties: tenantID: - description: TenantID is the tenant ID used to authenticate with Certificate Manager SaaS. + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. type: string type: object type: object x-kubernetes-validations: - message: must have exactly one field set - rule: "((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1" + rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1' maxItems: 50 type: array x-kubernetes-list-type: atomic url: description: |- - The URL to connect to the Certificate Manager SaaS instance. If not set, the default + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default value https://api.venafi.cloud is used. type: string type: object x-kubernetes-validations: - - message: "must have exactly ONE of the following fields set: apiKey or accessToken" - rule: "(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : 0) == 1" + - message: 'must have exactly ONE of the following fields set: apiKey or accessToken' + rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : 0) == 1' type: object x-kubernetes-validations: - - message: "must have exactly ONE of the following fields set: tpp or vcp" - rule: "(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp) ? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1" + - message: 'must have exactly ONE of the following fields set: tpp or vcp' + rule: '(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp) ? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1' status: properties: conditions: @@ -1307,8 +1307,8 @@ spec: type: string tokenValidUntil: description: |- - The ValidUntil time of the token used to authenticate with the Venafi - Control Plane server. + The ValidUntil time of the token used to authenticate with the + Certificate Manager, SaaS. format: date-time type: string type: diff --git a/go.mod b/go.mod index 9fc73e99..2eabd2f0 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/fatih/color v1.18.0 github.com/google/uuid v1.6.0 github.com/hashicorp/go-multierror v1.1.1 - github.com/jetstack/venafi-connection-lib v0.5.0 + github.com/jetstack/venafi-connection-lib v0.5.1 github.com/microcosm-cc/bluemonday v1.0.27 github.com/pmylund/go-cache v2.1.0+incompatible github.com/prometheus/client_golang v1.23.2 @@ -39,6 +39,7 @@ require ( github.com/go-logr/zapr v1.3.0 // indirect github.com/go418/concurrentcache v0.6.0 // indirect github.com/go418/concurrentcache/logger v0.0.0-20250207095056-c0b7f8cc8bc2 // indirect + github.com/golang-jwt/jwt/v5 v5.3.0 // indirect github.com/google/btree v1.1.3 // indirect github.com/google/cel-go v0.26.0 // indirect github.com/google/gnostic-models v0.7.0 // indirect @@ -106,6 +107,6 @@ require ( gopkg.in/yaml.v3 v3.0.1 k8s.io/klog/v2 v2.130.1 k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect - k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect ) diff --git a/go.sum b/go.sum index 1bc1b4fd..13f8945b 100644 --- a/go.sum +++ b/go.sum @@ -103,8 +103,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jetstack/venafi-connection-lib v0.5.0 h1:chxpeqJ0z35NYW9NOiNx+Q3hRkTwIcWgDN6W53kqSLw= -github.com/jetstack/venafi-connection-lib v0.5.0/go.mod h1:18NQcpxoYFbV7omOXyeg5pZIEYi9giVYVE9L+E58Ufw= +github.com/jetstack/venafi-connection-lib v0.5.1 h1:mS6sSSnLQDpSMZZ4tlju5D4q15eFnrs9StuGR4vDUtY= +github.com/jetstack/venafi-connection-lib v0.5.1/go.mod h1:Ph7uZeaeYldFIFC4vUcUQ3LSTVOLXvwgw5h1/6r1VMA= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= @@ -313,8 +313,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= -k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= -k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y= From c5ed1072d4a77ea4961a3e85c6dd1519fdebc3d4 Mon Sep 17 00:00:00 2001 From: Iossif Benbassat Date: Wed, 29 Oct 2025 13:25:36 +0200 Subject: [PATCH 09/11] fix: run generage --- LICENSES | 1 + deploy/charts/venafi-kubernetes-agent/README.md | 2 +- deploy/charts/venafi-kubernetes-agent/values.schema.json | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/LICENSES b/LICENSES index 137f4974..d27cf6dd 100644 --- a/LICENSES +++ b/LICENSES @@ -61,6 +61,7 @@ github.com/go418/concurrentcache,Apache-2.0 github.com/go418/concurrentcache/logger,Apache-2.0 github.com/gogo/protobuf,BSD-3-Clause github.com/golang-jwt/jwt/v4,MIT +github.com/golang-jwt/jwt/v5,MIT github.com/google/btree,Apache-2.0 github.com/google/cel-go,Apache-2.0 github.com/google/cel-go,BSD-3-Clause diff --git a/deploy/charts/venafi-kubernetes-agent/README.md b/deploy/charts/venafi-kubernetes-agent/README.md index 3adb3ee1..cf2bd6e2 100644 --- a/deploy/charts/venafi-kubernetes-agent/README.md +++ b/deploy/charts/venafi-kubernetes-agent/README.md @@ -105,7 +105,7 @@ default replicas, do not scale up > registry.venafi.cloud/venafi-agent/venafi-agent > ``` -The container image for the Enterprise Issuer manager. +The container image for the Enterprise Issuer. #### **image.pullPolicy** ~ `string` > Default value: > ```yaml diff --git a/deploy/charts/venafi-kubernetes-agent/values.schema.json b/deploy/charts/venafi-kubernetes-agent/values.schema.json index 66f50339..7709623e 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.schema.json +++ b/deploy/charts/venafi-kubernetes-agent/values.schema.json @@ -350,7 +350,7 @@ }, "helm-values.image.repository": { "default": "registry.venafi.cloud/venafi-agent/venafi-agent", - "description": "The container image for the Enterprise Issuer manager.", + "description": "The container image for the Enterprise Issuer.", "type": "string" }, "helm-values.image.tag": { From 32ef042bdbbe1f0407f9ceb0873debcf66b8637d Mon Sep 17 00:00:00 2001 From: iossifbenbassat123 Date: Thu, 30 Oct 2025 11:17:50 +0200 Subject: [PATCH 10/11] Update deploy/charts/venafi-kubernetes-agent/values.yaml Co-authored-by: Atanas Chuchev --- deploy/charts/venafi-kubernetes-agent/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml index a94893c7..75010de4 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.yaml +++ b/deploy/charts/venafi-kubernetes-agent/values.yaml @@ -51,7 +51,7 @@ metrics: replicaCount: 1 image: - # The container image for the Enterprise Issuer. + # The container image for the Discovery Agent. repository: registry.venafi.cloud/venafi-agent/venafi-agent # Kubernetes imagePullPolicy on Deployment. From a8952ba6c6f55b35fbdacce7b50c1797c4567f71 Mon Sep 17 00:00:00 2001 From: Iossif Benbassat Date: Thu, 30 Oct 2025 11:23:45 +0200 Subject: [PATCH 11/11] fix: run generate commands --- deploy/charts/venafi-kubernetes-agent/README.md | 2 +- deploy/charts/venafi-kubernetes-agent/values.schema.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/charts/venafi-kubernetes-agent/README.md b/deploy/charts/venafi-kubernetes-agent/README.md index cf2bd6e2..25259e3f 100644 --- a/deploy/charts/venafi-kubernetes-agent/README.md +++ b/deploy/charts/venafi-kubernetes-agent/README.md @@ -105,7 +105,7 @@ default replicas, do not scale up > registry.venafi.cloud/venafi-agent/venafi-agent > ``` -The container image for the Enterprise Issuer. +The container image for the Discovery Agent. #### **image.pullPolicy** ~ `string` > Default value: > ```yaml diff --git a/deploy/charts/venafi-kubernetes-agent/values.schema.json b/deploy/charts/venafi-kubernetes-agent/values.schema.json index 7709623e..876f4b5c 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.schema.json +++ b/deploy/charts/venafi-kubernetes-agent/values.schema.json @@ -350,7 +350,7 @@ }, "helm-values.image.repository": { "default": "registry.venafi.cloud/venafi-agent/venafi-agent", - "description": "The container image for the Enterprise Issuer.", + "description": "The container image for the Discovery Agent.", "type": "string" }, "helm-values.image.tag": {