You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: deploy/helm/secret-operator/crds/crds.yaml
+28-6
Original file line number
Diff line number
Diff line change
@@ -22,8 +22,10 @@ spec:
22
22
description: Auto-generated derived type for SecretClassSpec via `CustomResource`
23
23
properties:
24
24
spec:
25
+
description: A [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) is a cluster-global Kubernetes resource that defines a category of secrets that the Secret Operator knows how to provision.
25
26
properties:
26
27
backend:
28
+
description: Each SecretClass is associated with a single [backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend), which dictates the mechanism for issuing that kind of Secret.
27
29
oneOf:
28
30
- required:
29
31
- k8sSearch
@@ -33,15 +35,20 @@ spec:
33
35
- kerberosKeytab
34
36
properties:
35
37
autoTls:
38
+
description: |-
39
+
The [`autoTls` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-autotls) issues a TLS certificate signed by the Secret Operator. The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator.
40
+
41
+
A new certificate and keypair will be generated and signed for each Pod, keys or certificates are never reused.
36
42
properties:
37
43
ca:
44
+
description: Configures the certificate authority used to issue Pod certificates.
38
45
properties:
39
46
autoGenerate:
40
47
default: false
41
-
description: Whether a new certificate authority should be generated if it does not already exist
48
+
description: Whether a new certificate authority should be generated if it does not already exist.
42
49
type: boolean
43
50
secret:
44
-
description: SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace
51
+
description: Reference (name and namespace) to a Kubernetes Secret object where the CA certificate and key is stored in the keys `ca.crt` and `ca.key` respectively.
45
52
properties:
46
53
name:
47
54
description: name is unique within a namespace to reference a secret resource.
@@ -55,43 +62,51 @@ spec:
55
62
type: object
56
63
maxCertificateLifetime:
57
64
default: 15d
58
-
description: Maximum lifetime the created certificates are allowed to have. In case consumers request a longer lifetime than allowed by this setting, the lifetime will be the minimum of both, so this setting takes precedence.
65
+
description: Maximum lifetime the created certificates are allowed to have. In case consumers request a longer lifetime than allowed by this setting, the lifetime will be the minimum of both, so this setting takes precedence. The default value is 15 days.
59
66
type: string
60
67
required:
61
68
- ca
62
69
type: object
63
70
k8sSearch:
71
+
description: The [`k8sSearch` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-k8ssearch) can be used to mount Secrets across namespaces into Pods.
64
72
properties:
65
73
searchNamespace:
74
+
description: Configures the namespace searched for Secret objects.
66
75
oneOf:
67
76
- required:
68
77
- pod
69
78
- required:
70
79
- name
71
80
properties:
72
81
name:
82
+
description: The Secret objects are located in a single global namespace. Should be used for secrets that are provisioned by the cluster administrator.
73
83
type: string
74
84
pod:
85
+
description: The Secret objects are located in the same namespace as the Pod object. Should be used for Secrets that are provisioned by the application administrator.
75
86
type: object
76
87
type: object
77
88
required:
78
89
- searchNamespace
79
90
type: object
80
91
kerberosKeytab:
92
+
description: The [`kerberosKeytab` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-kerberoskeytab) creates a Kerberos keytab file for a selected realm. The Kerberos KDC and administrator credentials must be provided by the administrator.
description: Credentials should be provisioned in a Microsoft Active Directory domain.
90
104
properties:
91
105
ldapServer:
106
+
description: An AD LDAP server, such as the AD Domain Controller. This must match the server’s FQDN, or GSSAPI authentication will fail.
92
107
type: string
93
108
ldapTlsCaSecret:
94
-
description: SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace
109
+
description: Reference (name and namespace) to a Kubernetes Secret object containing the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against.
95
110
properties:
96
111
name:
97
112
description: name is unique within a namespace to reference a secret resource.
@@ -101,7 +116,7 @@ spec:
101
116
type: string
102
117
type: object
103
118
passwordCacheSecret:
104
-
description: SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace
119
+
description: Reference (name and namespace) to a Kubernetes Secret object where workload passwords will be stored. This must not be accessible to end users.
105
120
properties:
106
121
name:
107
122
description: name is unique within a namespace to reference a secret resource.
@@ -111,8 +126,10 @@ spec:
111
126
type: string
112
127
type: object
113
128
schemaDistinguishedName:
129
+
description: The root Distinguished Name (DN) for AD-managed schemas, typically `CN=Schema,CN=Configuration,{domain_dn}`.
114
130
type: string
115
131
userDistinguishedName:
132
+
description: The root Distinguished Name (DN) where service accounts should be provisioned, typically `CN=Users,{domain_dn}`.
116
133
type: string
117
134
required:
118
135
- ldapServer
@@ -122,15 +139,17 @@ spec:
122
139
- userDistinguishedName
123
140
type: object
124
141
mit:
142
+
description: Credentials should be provisioned in a MIT Kerberos Admin Server.
125
143
properties:
126
144
kadminServer:
145
+
description: The hostname of the Kerberos Admin Server. This should be provided by the Kerberos administrator.
127
146
type: string
128
147
required:
129
148
- kadminServer
130
149
type: object
131
150
type: object
132
151
adminKeytabSecret:
133
-
description: SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace
152
+
description: Reference (`name` and `namespace`) to a K8s Secret object where a keytab with administrative privileges is stored in the key `keytab`.
134
153
properties:
135
154
name:
136
155
description: name is unique within a namespace to reference a secret resource.
@@ -140,10 +159,13 @@ spec:
140
159
type: string
141
160
type: object
142
161
adminPrincipal:
162
+
description: The admin principal.
143
163
type: string
144
164
kdc:
165
+
description: The hostname of the Kerberos Key Distribution Center (KDC). This should be provided by the Kerberos administrator.
145
166
type: string
146
167
realmName:
168
+
description: The name of the Kerberos realm. This should be provided by the Kerberos administrator.
0 commit comments