Skip to content

Venafi Connection API reference

Resource Types

VenafiConnection

VenafiConnection is the Schema for the VenafiConnection API.

Name Type Description Required
apiVersion string jetstack.io/v1alpha1 true
kind string VenafiConnection true
metadata object Refer to the Kubernetes API documentation for the fields of the metadata field. true
spec object false
status object false

VenafiConnection.spec

Name Type Description Required
allowReferencesFrom object A namespace selector that specifies what namespaces this VenafiConnection is allowed to be used from. If not set/ null, the VenafiConnection can only be used within its namespace. An empty selector ({}) matches all namespaces. If set to a non-empty selector, the VenafiConnection can only be used from namespaces that match the selector. This possibly excludes the namespace the VenafiConnection is in. EXPERIMENTAL: This field is experimental and may change in future or be replaced by the upstream ReferenceGrant mechanism (KEP-3766). false
tpp object false
vaas object false

VenafiConnection.spec.allowReferencesFrom

A namespace selector that specifies what namespaces this VenafiConnection is allowed to be used from. If not set/ null, the VenafiConnection can only be used within its namespace. An empty selector ({}) matches all namespaces. If set to a non-empty selector, the VenafiConnection can only be used from namespaces that match the selector. This possibly excludes the namespace the VenafiConnection is in.

EXPERIMENTAL: This field is experimental and may change in future or be replaced by the upstream ReferenceGrant mechanism (KEP-3766).

Name Type Description Required
matchExpressions []object matchExpressions is a list of label selector requirements. The requirements are ANDed. false
matchLabels map[string]string matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. false

VenafiConnection.spec.allowReferencesFrom.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name Type Description Required
key string key is the label key that the selector applies to. true
operator string operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. true
values []string values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. false

VenafiConnection.spec.tpp

Name Type Description Required
url string The URL to connect to the Venafi TPP instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by venafi-connection-lib. true
accessToken []object The list of steps to retrieve a TPP access token. false

VenafiConnection.spec.tpp.accessToken[index]

Name Type Description Required
hashicorpVaultLDAP object HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. false
hashicorpVaultOAuth object HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. false
hashicorpVaultSecret object HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. false
secret object Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. false
serviceAccountToken object ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. false
tppOAuth object TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. false

VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultLDAP

HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.

Name Type Description Required
ldapPath string The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name true
url string The URL to connect to your HashiCorp Vault instance. false

VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultOAuth

HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.

Name Type Description Required
authInputType enum AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC true
authPath string The login URL used for obtaining the Vault token. Example: "https://vault:8200/v1/auth/oidc/login". true
role string The role defined in Vault that we want to use when authenticating to Vault. true
clientId string DEPRECATED: This field does nothing and will be removed in the future. false
url string The URL to connect to your HashiCorp Vault instance. false

VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultSecret

HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.

Name Type Description Required
fields []string The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): In a scenario where you have stored the username and password for TPP under the keys "username" and "password", you need to set this field to ["username", "password"]. The username is expected to be given first, the password second. true
secretPath string The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password true
url string The URL to connect to your HashiCorp Vault instance. false

VenafiConnection.spec.tpp.accessToken[index].secret

Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.

Name Type Description Required
fields []string The names of the fields you want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. true
name string The name of the Kubernetes secret. true

VenafiConnection.spec.tpp.accessToken[index].serviceAccountToken

ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.

Name Type Description Required
audiences []string Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. true
name string The name of the Kubernetes service account. true
expirationSeconds integer ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 false

VenafiConnection.spec.tpp.accessToken[index].tppOAuth

TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.

Name Type Description Required
authInputType enum AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT".
Enum: UsernamePassword, JWT
true
clientId string ClientID is the clientId used to authenticate with TPP.
Default: cert-manager.io
false
url string The URL to connect to the Venafi TPP instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. false

VenafiConnection.spec.vaas

Name Type Description Required
apiKey []object The list of steps to retrieve the API key that will be used to connect to Vaas. false
url string The URL to connect to the Venafi VaaS instance. If not set, the default value https://api.venafi.cloud/v1/ is used. false

VenafiConnection.spec.vaas.apiKey[index]

Details about each SecretSource step to retrieve the API key that will be used to connect to Venafi VaaS.

Name Type Description Required
hashicorpVaultLDAP object HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. false
hashicorpVaultOAuth object HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. false
hashicorpVaultSecret object HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. false
secret object Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. false
serviceAccountToken object ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. false
tppOAuth object TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. false

VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultLDAP

HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.

Name Type Description Required
ldapPath string The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name true
url string The URL to connect to your HashiCorp Vault instance. false

VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultOAuth

HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.

Name Type Description Required
authInputType enum AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC true
authPath string The login URL used for obtaining the Vault token. Example: /v1/auth/oidc/login true
role string The role defined in Vault that we want to use when authenticating to Vault. true
clientId string DEPRECATED: This field does nothing and will be removed in the future. false
url string The URL to connect to your HashiCorp Vault instance. false

VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultSecret

HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.

Name Type Description Required
fields []string The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): In a scenario where you have stored the username and password for TPP under the keys "username" and "password", you need to set this field to ["username", "password"]. The username is expected to be given first, the password second. true
secretPath string The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password true
url string The URL to connect to your HashiCorp Vault instance. false

VenafiConnection.spec.vaas.apiKey[index].secret

Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.

Name Type Description Required
fields []string The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. true
name string The name of the Kubernetes secret. true

VenafiConnection.spec.vaas.apiKey[index].serviceAccountToken

Name Type Description Required
audiences []string udiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. true
name string The name of the Kubernetes service account. true
expirationSeconds integer ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.
Format: int64
false

VenafiConnection.spec.vaas.apiKey[index].tppOAuth

Name Type Description Required
authInputType enum AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT".
Enum: UsernamePassword, JWT
true
clientId string ClientID is the clientId used to authenticate with TPP.
Default: cert-manager.io
false
url string The URL to connect to the Venafi TPP instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. false

VenafiConnection.status

Name Type Description Required
conditions []object List of status conditions to indicate the status of a VenafiConnection. false

VenafiConnection.status.conditions[index]

ConnectionCondition contains condition information for a VenafiConnection.

Name Type Description Required
status string Status of the condition, one of (True, False, Unknown). true
type string Type of the condition, should be a combination of the unique name of the operator and the type of condition. eg. VenafiEnhancedIssuerReady true
lastTransitionTime string LastTransitionTime is the timestamp corresponding to the last status change of this condition. Format: date-time false
lastUpdateTime string lastUpdateTime is the time of the last update to this condition. Format: date-time false
message string Message is a human readable description of the details of the last transition, complementing reason. false
observedGeneration integer If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. Format: int64 false
reason string Reason is a brief machine readable explanation for the condition's last transition. false
tokenValidUntil string The ValidUntil time of the token used to authenticate with the Venafi Control Plane server. Format: date-time false