Venafi Connection API reference
Resource Types
VenafiConnection
VenafiConnection is the Schema for the VenafiConnection API.
| Name | Type | Description | Required |
apiVersion | string | jetstack.io/v1alpha1 | true |
kind | string | VenafiConnection | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | | false |
status | object | | false |
VenafiConnection.spec
| Name | Type | Description | Required |
allowReferencesFrom | object | A namespace selector that specifies what namespaces this VenafiConnection is allowed to be used from. If not set/ null, the VenafiConnection can only be used within its namespace. An empty selector ({}) matches all namespaces. If set to a non-empty selector, the VenafiConnection can only be used from namespaces that match the selector. This possibly excludes the namespace the VenafiConnection is in. | false |
tpp | object | | false |
vaas | object | | false |
VenafiConnection.spec.allowReferencesFrom
A namespace selector that specifies what namespaces this VenafiConnection is allowed to be used from. If not set/ null, the VenafiConnection can only be used within its namespace. An empty selector ({}) matches all namespaces. If set to a non-empty selector, the VenafiConnection can only be used from namespaces that match the selector. This possibly excludes the namespace the VenafiConnection is in.
| Name | Type | Description | Required |
matchExpressions | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
matchLabels | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
VenafiConnection.spec.allowReferencesFrom.matchExpressions[index]
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
| Name | Type | Description | Required |
key | string | key is the label key that the selector applies to. | true |
operator | string | operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. | true |
values | []string | values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. | false |
VenafiConnection.spec.tpp
| Name | Type | Description | Required |
url | string | The URL to connect to the Venafi TPP instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by venafi-connection-lib. | true |
accessToken | []object | The list of steps to retrieve a TPP access token. | false |
VenafiConnection.spec.tpp.accessToken[index]
| Name | Type | Description | Required |
hashicorpVaultLDAP | object | HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultLDAP
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
ldapPath | string | The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultOAuth
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
authPath | string | The login URL used for obtaining the Vault token. Example: "https://vault:8200/v1/auth/oidc/login". | true |
role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
clientId | string | DEPRECATED: This field does nothing and will be removed in the future. | false |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultSecret
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): In a scenario where you have stored the username and password for TPP under the keys "username" and "password", you need to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.tpp.accessToken[index].secret
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
fields | []string | The names of the fields you want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.tpp.accessToken[index].serviceAccountToken
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
audiences | []string | Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
name | string | The name of the Kubernetes service account. | true |
expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.tpp.accessToken[index].tppOAuth
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT".
Enum: UsernamePassword, JWT | true |
clientId | string | ClientID is the clientId used to authenticate with TPP.
Default: cert-manager.io | false |
url | string | The URL to connect to the Venafi TPP instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. | false |
VenafiConnection.spec.vaas
| Name | Type | Description | Required |
apiKey | []object | The list of steps to retrieve the API key that will be used to connect to TLS Protect Cloud. | false |
url | string | The URL to connect to the Venafi TLS Protect Cloud instance. If not set, the default value https://api.venafi.cloud/v1/ is used. | false |
VenafiConnection.spec.vaas.apiKey[index]
Details about each SecretSource step to retrieve the API key that will be used to connect to Venafi TLS Protect Cloud.
| Name | Type | Description | Required |
hashicorpVaultLDAP | object | HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
| secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultLDAP
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
ldapPath | string | The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultOAuth
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
authPath | string | The login URL used for obtaining the Vault token. Example: /v1/auth/oidc/login | true |
role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
clientId | string | DEPRECATED: This field does nothing and will be removed in the future. | false |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultSecret
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): In a scenario where you have stored the username and password for TPP under the keys "username" and "password", you need to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.apiKey[index].secret
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.vaas.apiKey[index].serviceAccountToken
| Name | Type | Description | Required |
audiences | []string | udiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
name | string | The name of the Kubernetes service account. | true |
expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.
Format: int64 | false |
VenafiConnection.spec.vaas.apiKey[index].tppOAuth
| Name | Type | Description | Required |
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT".
Enum: UsernamePassword, JWT | true |
clientId | string | ClientID is the clientId used to authenticate with TPP.
Default: cert-manager.io | false |
url | string | The URL to connect to the Venafi TPP instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. | false |
VenafiConnection.status
| Name | Type | Description | Required |
conditions | []object | List of status conditions to indicate the status of a VenafiConnection. | false |
VenafiConnection.status.conditions[index]
ConnectionCondition contains condition information for a VenafiConnection.
| Name | Type | Description | Required |
status | string | Status of the condition, one of (True, False, Unknown). | true |
type | string | Type of the condition, should be a combination of the unique name of the operator and the type of condition. eg. VenafiEnhancedIssuerReady | true |
lastTransitionTime | string | LastTransitionTime is the timestamp corresponding to the last status change of this condition. Format: date-time | false |
lastUpdateTime | string | lastUpdateTime is the time of the last update to this condition. Format: date-time | false |
message | string | Message is a human readable description of the details of the last transition, complementing reason. | false |
| observedGeneration | integer | If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. Format: int64 | false |
reason | string | Reason is a brief machine readable explanation for the condition's last transition. | false |
tokenValidUntil | string | The ValidUntil time of the token used to authenticate with the Venafi Control Plane server. Format: date-time | false |