VaultCa
Proto: vault_ca.proto
Package: tls.security.policy.gloo.solo.io
Types:
VaultCA
Field | Description |
---|---|
caPath |
(string )ca_path is the mount path of the Vault PKI backend's sign endpoint, e.g: “my_pki_mount/sign/my-role-name”. |
csrPath |
(string )csr_path is the mount path of the Vault PKI backend's generate endpoint, e.g: “my_pki_mount/intermediate/generate/exported”. “exported” is necessary here as istio needs access to the private key See vault docs here: https://www.vaultproject.io/api-docs/secret/pki#parameters-4 |
server |
(string )Server is the connection address for the Vault server, e.g: “https://vault.example.com:8200". |
caBundle |
(bytes )Inline CA bytes |
caSecretRef |
(core.skv2.solo.io.ObjectRef )Reference to a secret containing the CA bytes. The CA should be stored by the key root-cert.pem |
caLocalPath |
(string )Path to a local file containing the CA bytes |
namespace |
(string )Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: “ns1” More about namespaces can be found here |
tokenSecretRef |
(core.skv2.solo.io.ObjectRef )TokenSecretRef authenticates with Vault by presenting a token. |
kubernetesAuth |
(VaultKubernetesAuth )Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. |
VaultKubernetesAuth
Field | Description |
---|---|
mountPath |
(string )The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to /v1/auth/foo , will use the path /v1/auth/foo/login to authenticate with Vault. If unspecified, the default value “/v1/auth/kubernetes” will be used. |
role |
(string )A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. |
secretTokenKey |
(string )Key to search for the sa_token Default to “token” |
serviceAccountRef |
(core.skv2.solo.io.ObjectRef )Reference to service account, other than the one mounted to the current pod. |
mountedSaPath |
(string )File System path to grab the service account token from. Defaults to /var/run/secrets/kubernetes.io/serviceaccount |