On this page
VaultCa
VaultCa API reference.
Proto: vault_ca.proto
Package: tls.security.policy.gloo.solo.io
Types:
VaultCA
Field | Description |
---|---|
caPath | (string )ca_path is the mount path of the Vault PKI backend’s sign endpoint, e.g: “my_pki_mount/sign/my-role-name”. |
csrPath | (string )csr_path is the mount path of the Vault PKI backend’s generate endpoint, e.g: “my_pki_mount/intermediate/generate/exported”. “exported” is necessary here as istio needs access to the private key See vault docs here: https://developer.hashicorp.com/vault/api-docs/secret/pki#parameters-4 |
server | (string )Server is the connection address for the Vault server, e.g: “https://vault.example.com:8200”. |
caBundle | (bytes )Inline CA bytes |
caSecretRef | (core.skv2.solo.io.ObjectRef )Reference to a secret containing the CA bytes. The CA should be stored by the key root-cert.pem |
caLocalPath | (string )Path to a local file containing the CA bytes |
namespace | (string )Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: “ns1” More about namespaces can be found here |
tokenSecretRef | (core.skv2.solo.io.ObjectRef )TokenSecretRef authenticates with Vault by presenting a token. |
kubernetesAuth | (VaultKubernetesAuth )Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. |
VaultKubernetesAuth
Field | Description |
---|---|
mountPath | (string )The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to /v1/auth/foo , will use the path /v1/auth/foo/login to authenticate with Vault. If unspecified, the default value “/v1/auth/kubernetes” will be used. |
role | (string )A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. |
secretTokenKey | (string )Key to search for the sa_token Default to “token” |
serviceAccountRef | (core.skv2.solo.io.ObjectRef )Reference to service account, other than the one mounted to the current pod. |
mountedSaPath | (string )File System path to grab the service account token from. Defaults to /var/run/secrets/kubernetes.io/serviceaccount |