Proto: vault_ca.proto

Package: tls.security.policy.gloo.solo.io

Types:

VaultCA

FieldDescription
caPath(string)

ca_path is the mount path of the Vault PKI backend’s sign endpoint, e.g: “my_pki_mount/sign/my-role-name”.
csrPath(string)

csr_path is the mount path of the Vault PKI backend’s generate endpoint, e.g: “my_pki_mount/intermediate/generate/exported”. “exported” is necessary here as istio needs access to the private key See vault docs here: https://developer.hashicorp.com/vault/api-docs/secret/pki#parameters-4
server(string)

Server is the connection address for the Vault server, e.g: “https://vault.example.com:8200”.
caBundle(bytes)

Inline CA bytes
caSecretRef(core.skv2.solo.io.ObjectRef)

Reference to a secret containing the CA bytes. The CA should be stored by the key root-cert.pem
caLocalPath(string)

Path to a local file containing the CA bytes
namespace(string)

Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: “ns1” More about namespaces can be found here
tokenSecretRef(core.skv2.solo.io.ObjectRef)

TokenSecretRef authenticates with Vault by presenting a token.
kubernetesAuth(VaultKubernetesAuth)

Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.

VaultKubernetesAuth

FieldDescription
mountPath(string)

The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to /v1/auth/foo, will use the path /v1/auth/foo/login to authenticate with Vault. If unspecified, the default value “/v1/auth/kubernetes” will be used.
role(string)

A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
secretTokenKey(string)

Key to search for the sa_token Default to “token”
serviceAccountRef(core.skv2.solo.io.ObjectRef)

Reference to service account, other than the one mounted to the current pod.
mountedSaPath(string)

File System path to grab the service account token from. Defaults to /var/run/secrets/kubernetes.io/serviceaccount