vault_ca.proto

Package : tls.security.policy.gloo.solo.io

Top

vault_ca.proto

Table of Contents

VaultCA

Field Type Label Description
caPath string ca_path is the mount path of the Vault PKI backend's sign endpoint, e.g: “my_pki_mount/sign/my-role-name”.
csrPath string csr_path is the mount path of the Vault PKI backend's generate endpoint, e.g: “my_pki_mount/intermediate/generate/exported”. “exported” is necessary here as istio needs access to the private key See vault docs here: https://www.vaultproject.io/api-docs/secret/pki#parameters-4
server string Server is the connection address for the Vault server, e.g: “https://vault.example.com:8200".
caBundle bytes Inline CA bytes
caSecretRef core.skv2.solo.io.ObjectRef Reference to a secret containing the CA bytes. The CA should be stored by the key root-cert.pem
caLocalPath string Path to a local file containing the CA bytes
namespace string Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: “ns1” More about namespaces can be found here
tokenSecretRef core.skv2.solo.io.ObjectRef TokenSecretRef authenticates with Vault by presenting a token.
kubernetesAuth tls.security.policy.gloo.solo.io.VaultKubernetesAuth Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.

VaultKubernetesAuth

Field Type Label Description
mountPath string The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to /v1/auth/foo, will use the path /v1/auth/foo/login to authenticate with Vault. If unspecified, the default value “/v1/auth/kubernetes” will be used.
role string A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
secretTokenKey string Key to search for the sa_token Default to “token”
serviceAccountRef core.skv2.solo.io.ObjectRef Reference to service account, other than the one mounted to the current pod.
mountedSaPath string File System path to grab the service account token from. Defaults to /var/run/secrets/kubernetes.io/serviceaccount