On this page
VaultCa
VaultCa API reference.
Proto: vault_ca.proto
Package: tls.security.policy.gloo.solo.io
VaultCA
| Field | Description |
|---|---|
caPath | (string)ca_path is the mount path of the Vault PKI backend’s sign endpoint, e.g: “my_pki_mount/sign/my-role-name”. |
csrPath | (string)csr_path is the mount path of the Vault PKI backend’s generate endpoint, e.g: “my_pki_mount/intermediate/generate/exported”. “exported” is necessary here as istio needs access to the private key See vault docs here: https://developer.hashicorp.com/vault/api-docs/secret/pki#parameters-4 |
server | (string)Server is the connection address for the Vault server, e.g: “https://vault.example.com:8200”. |
caBundle | (bytes)Inline CA bytes |
caSecretRef | (core.skv2.solo.io.ObjectRef)Reference to a secret containing the CA bytes. The CA should be stored by the key root-cert.pem |
caLocalPath | (string)Path to a local file containing the CA bytes |
namespace | (string)Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: “ns1” More about namespaces can be found here |
tokenSecretRef | (core.skv2.solo.io.ObjectRef)TokenSecretRef authenticates with Vault by presenting a token. |
kubernetesAuth | (VaultKubernetesAuth)Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. |
VaultKubernetesAuth
| Field | Description |
|---|---|
mountPath | (string)The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to /v1/auth/foo, will use the path /v1/auth/foo/login to authenticate with Vault. If unspecified, the default value “/v1/auth/kubernetes” will be used. |
role | (string)A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. |
secretTokenKey | (string)Key to search for the sa_token Default to “token” |
serviceAccountRef | (core.skv2.solo.io.ObjectRef)Reference to service account, other than the one mounted to the current pod. |
mountedSaPath | (string)File System path to grab the service account token from. Defaults to /var/run/secrets/kubernetes.io/serviceaccount |