Connection resource API reference¶
Terminology¶
The VenafiConnection CRD uses internal names that differ from the product names used elsewhere in this documentation site. The tables below map each CRD term to the corresponding product name.
Backend fields¶
Each backend field on spec connects to a different product:
| CRD field | Product |
|---|---|
spec.tpp | Certificate Manager - Self-Hosted (formerly Trust Protection Platform) |
spec.vcp | Certificate Manager - SaaS (formerly Venafi Control Plane) |
spec.vaas | Deprecated; use spec.vcp |
spec.firefly | Workload Identity Manager (Certificate Manager - SaaS environments) |
spec.distributedIssuer | Distributed Issuer (Next-Gen Trust Security environments) |
spec.ngts | Next-Gen Trust Security |
Terms in field descriptions¶
| Term in CRD | Documentation name |
|---|---|
| TPP | Certificate Manager - Self-Hosted |
| VCP | Certificate Manager - SaaS |
| Certificate Manager, SaaS | Certificate Manager - SaaS |
| Certificate Manager, Self-Hosted | Certificate Manager - Self-Hosted |
| NGTS Data Plane | Next-Gen Trust Security |
| Firefly | Workload Identity Manager |
| Distributed Issuer | Distributed Issuer |
Component names by environment¶
Some Kubernetes components have different names depending on the environment:
| Component | Certificate Manager - SaaS | Next-Gen Trust Security |
|---|---|---|
| This CRD | Connection for CyberArk Certificate Manager | Connection for Next-Gen Trust Security |
| cert-manager issuer | Enterprise Issuer for CyberArk Certificate Manager | Enterprise Issuer for Next-Gen Trust Security |
| Distributed issuance agent | Workload Identity Manager | Distributed Issuer |
Resource Types¶
VenafiConnection¶
VenafiConnection is the Schema for the VenafiConnection API
| Name | Type | Description | Required |
|---|---|---|---|
apiVersion | string | jetstack.io/v1alpha1 | true |
kind | string | VenafiConnection | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | true | |
status | object | false |
VenafiConnection.spec¶
| Name | Type | Description | Required |
|---|---|---|---|
allowReferencesFrom | object | A namespace selector that specifies what namespaces this VenafiConnection is allowed to be used from. If not set/ null, the VenafiConnection can only be used within its namespace. An empty selector ({}) matches all namespaces. If set to a non-empty selector, the VenafiConnection can only be used from namespaces that match the selector. This possibly excludes the namespace the VenafiConnection is in. | false |
distributedIssuer | object | false | |
firefly | object | false | |
ngts | object | false | |
tpp | object | false | |
vaas | object | Deprecated: The 'vaas' field is deprecated use the field called 'vcp' instead. | false |
vcp | object | false |
VenafiConnection.spec.allowReferencesFrom¶
A namespace selector that specifies what namespaces this VenafiConnection is allowed to be used from. If not set/ null, the VenafiConnection can only be used within its namespace. An empty selector ({}) matches all namespaces. If set to a non-empty selector, the VenafiConnection can only be used from namespaces that match the selector. This possibly excludes the namespace the VenafiConnection is in.
| Name | Type | Description | Required |
|---|---|---|---|
matchExpressions | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
matchLabels | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
VenafiConnection.spec.allowReferencesFrom.matchExpressions[index]¶
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
| Name | Type | Description | Required |
|---|---|---|---|
key | string | key is the label key that the selector applies to. | true |
operator | string | operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. | true |
values | []string | values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. | false |
VenafiConnection.spec.distributedIssuer¶
| Name | Type | Description | Required |
|---|---|---|---|
url | string | The URL to connect to the Distributed Issuer instance. | true |
accessToken | []object | The list of steps to retrieve the Access Token that will be used to connect to the Distributed Issuer. | false |
VenafiConnection.spec.distributedIssuer.accessToken[index]¶
| Name | Type | Description | Required |
|---|---|---|---|
hashicorpVaultLDAP | object | HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
privateKeyJWT | object | PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane. | false |
secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
vcpOAuth | object | VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. | false |
VenafiConnection.spec.distributedIssuer.accessToken[index].hashicorpVaultLDAP¶
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
ldapPath | string | The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.distributedIssuer.accessToken[index].hashicorpVaultOAuth¶
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
authPath | string | The login URL used for obtaining the Vault token. Example: /v1/auth/oidc/login | true |
role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.distributedIssuer.accessToken[index].hashicorpVaultSecret¶
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): imagining that you have stored the username and password for TPP under the keys "username" and "password", you will want to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.distributedIssuer.accessToken[index].privateKeyJWT¶
PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane.
| Name | Type | Description | Required |
|---|---|---|---|
clientID | string | ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. | true |
VenafiConnection.spec.distributedIssuer.accessToken[index].secret¶
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.distributedIssuer.accessToken[index].serviceAccountToken¶
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
audiences | []string | Audiences are the intended audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
name | string | The name of the Kubernetes service account. | true |
expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.distributedIssuer.accessToken[index].tppOAuth¶
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT". Enum: UsernamePassword, JWT | true |
clientID | string | ClientID is the clientID used to authenticate with TPP. | false |
clientId | string | Deprecated: use clientID instead. | false |
url | string | The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the TPP configuration. | false |
VenafiConnection.spec.distributedIssuer.accessToken[index].vcpOAuth¶
VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token.
| Name | Type | Description | Required |
|---|---|---|---|
tenantID | string | TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. | false |
VenafiConnection.spec.firefly¶
| Name | Type | Description | Required |
|---|---|---|---|
url | string | The URL to connect to the Distributed Issuer instance. | true |
accessToken | []object | The list of steps to retrieve the Access Token that will be used to connect to the Distributed Issuer. | false |
VenafiConnection.spec.firefly.accessToken[index]¶
| Name | Type | Description | Required |
|---|---|---|---|
hashicorpVaultLDAP | object | HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
privateKeyJWT | object | PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane. | false |
secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
vcpOAuth | object | VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. | false |
VenafiConnection.spec.firefly.accessToken[index].hashicorpVaultLDAP¶
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
ldapPath | string | The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.firefly.accessToken[index].hashicorpVaultOAuth¶
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
authPath | string | The login URL used for obtaining the Vault token. Example: /v1/auth/oidc/login | true |
role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.firefly.accessToken[index].hashicorpVaultSecret¶
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): imagining that you have stored the username and password for TPP under the keys "username" and "password", you will want to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.firefly.accessToken[index].privateKeyJWT¶
PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane.
| Name | Type | Description | Required |
|---|---|---|---|
clientID | string | ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. | true |
VenafiConnection.spec.firefly.accessToken[index].secret¶
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.firefly.accessToken[index].serviceAccountToken¶
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
audiences | []string | Audiences are the intended audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
name | string | The name of the Kubernetes service account. | true |
expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.firefly.accessToken[index].tppOAuth¶
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT". Enum: UsernamePassword, JWT | true |
clientID | string | ClientID is the clientID used to authenticate with TPP. | false |
clientId | string | Deprecated: use clientID instead. | false |
url | string | The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the TPP configuration. | false |
VenafiConnection.spec.firefly.accessToken[index].vcpOAuth¶
VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token.
| Name | Type | Description | Required |
|---|---|---|---|
tenantID | string | TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. | false |
VenafiConnection.spec.ngts¶
| Name | Type | Description | Required |
|---|---|---|---|
jwt | []object | The list of steps to retrieve the JWT that will be used to connect to the NGTS Data Plane. | true |
tsgID | string | The TSGID of the NGTS instance to connect to. This is a required field when URL is not set, and is used to construct the default URL in the format https:// | false |
url | string | The URL to connect to the NGTS Data Plane. If not set, the default value https:// | false |
VenafiConnection.spec.ngts.jwt[index]¶
| Name | Type | Description | Required |
|---|---|---|---|
hashicorpVaultLDAP | object | HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
privateKeyJWT | object | PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane. | false |
secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
vcpOAuth | object | VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. | false |
VenafiConnection.spec.ngts.jwt[index].hashicorpVaultLDAP¶
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
ldapPath | string | The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.ngts.jwt[index].hashicorpVaultOAuth¶
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
authPath | string | The login URL used for obtaining the Vault token. Example: /v1/auth/oidc/login | true |
role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.ngts.jwt[index].hashicorpVaultSecret¶
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): imagining that you have stored the username and password for TPP under the keys "username" and "password", you will want to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.ngts.jwt[index].privateKeyJWT¶
PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane.
| Name | Type | Description | Required |
|---|---|---|---|
clientID | string | ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. | true |
VenafiConnection.spec.ngts.jwt[index].secret¶
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.ngts.jwt[index].serviceAccountToken¶
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
audiences | []string | Audiences are the intended audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
name | string | The name of the Kubernetes service account. | true |
expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.ngts.jwt[index].tppOAuth¶
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT". Enum: UsernamePassword, JWT | true |
clientID | string | ClientID is the clientID used to authenticate with TPP. | false |
clientId | string | Deprecated: use clientID instead. | false |
url | string | The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the TPP configuration. | false |
VenafiConnection.spec.ngts.jwt[index].vcpOAuth¶
VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token.
| Name | Type | Description | Required |
|---|---|---|---|
tenantID | string | TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. | false |
VenafiConnection.spec.tpp¶
| Name | Type | Description | Required |
|---|---|---|---|
accessToken | []object | The list of steps to retrieve a TPP access token. | true |
url | string | The URL to connect to the Certificate Manager Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by venafi-connection-lib. | true |
VenafiConnection.spec.tpp.accessToken[index]¶
| Name | Type | Description | Required |
|---|---|---|---|
hashicorpVaultLDAP | object | HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
privateKeyJWT | object | PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane. | false |
secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
vcpOAuth | object | VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. | false |
VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultLDAP¶
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
ldapPath | string | The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultOAuth¶
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
authPath | string | The login URL used for obtaining the Vault token. Example: /v1/auth/oidc/login | true |
role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.tpp.accessToken[index].hashicorpVaultSecret¶
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): imagining that you have stored the username and password for TPP under the keys "username" and "password", you will want to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.tpp.accessToken[index].privateKeyJWT¶
PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane.
| Name | Type | Description | Required |
|---|---|---|---|
clientID | string | ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. | true |
VenafiConnection.spec.tpp.accessToken[index].secret¶
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.tpp.accessToken[index].serviceAccountToken¶
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
audiences | []string | Audiences are the intended audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
name | string | The name of the Kubernetes service account. | true |
expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.tpp.accessToken[index].tppOAuth¶
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT". Enum: UsernamePassword, JWT | true |
clientID | string | ClientID is the clientID used to authenticate with TPP. | false |
clientId | string | Deprecated: use clientID instead. | false |
url | string | The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the TPP configuration. | false |
VenafiConnection.spec.tpp.accessToken[index].vcpOAuth¶
VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token.
| Name | Type | Description | Required |
|---|---|---|---|
tenantID | string | TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. | false |
VenafiConnection.spec.vaas¶
Deprecated: The 'vaas' field is deprecated use the field called 'vcp' instead.
| Name | Type | Description | Required |
|---|---|---|---|
accessToken | []object | The list of steps to retrieve the Access Token that will be used to connect to Certificate Manager, SaaS. | false |
apiKey | []object | The list of steps to retrieve the API key that will be used to connect to Certificate Manager, SaaS. | false |
url | string | The URL to connect to the Certificate Manager, SaaS instance. If not set, the default value https://api.venafi.cloud is used. | false |
VenafiConnection.spec.vaas.accessToken[index]¶
| Name | Type | Description | Required |
|---|---|---|---|
hashicorpVaultLDAP | object | HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
privateKeyJWT | object | PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane. | false |
secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
vcpOAuth | object | VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. | false |
VenafiConnection.spec.vaas.accessToken[index].hashicorpVaultLDAP¶
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
ldapPath | string | The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.accessToken[index].hashicorpVaultOAuth¶
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
authPath | string | The login URL used for obtaining the Vault token. Example: /v1/auth/oidc/login | true |
role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.accessToken[index].hashicorpVaultSecret¶
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): imagining that you have stored the username and password for TPP under the keys "username" and "password", you will want to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.accessToken[index].privateKeyJWT¶
PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane.
| Name | Type | Description | Required |
|---|---|---|---|
clientID | string | ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. | true |
VenafiConnection.spec.vaas.accessToken[index].secret¶
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.vaas.accessToken[index].serviceAccountToken¶
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
audiences | []string | Audiences are the intended audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
name | string | The name of the Kubernetes service account. | true |
expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.vaas.accessToken[index].tppOAuth¶
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT". Enum: UsernamePassword, JWT | true |
clientID | string | ClientID is the clientID used to authenticate with TPP. | false |
clientId | string | Deprecated: use clientID instead. | false |
url | string | The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the TPP configuration. | false |
VenafiConnection.spec.vaas.accessToken[index].vcpOAuth¶
VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token.
| Name | Type | Description | Required |
|---|---|---|---|
tenantID | string | TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. | false |
VenafiConnection.spec.vaas.apiKey[index]¶
| Name | Type | Description | Required |
|---|---|---|---|
hashicorpVaultLDAP | object | HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
privateKeyJWT | object | PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane. | false |
secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
vcpOAuth | object | VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. | false |
VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultLDAP¶
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
ldapPath | string | The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultOAuth¶
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
authPath | string | The login URL used for obtaining the Vault token. Example: /v1/auth/oidc/login | true |
role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.apiKey[index].hashicorpVaultSecret¶
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): imagining that you have stored the username and password for TPP under the keys "username" and "password", you will want to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vaas.apiKey[index].privateKeyJWT¶
PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane.
| Name | Type | Description | Required |
|---|---|---|---|
clientID | string | ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. | true |
VenafiConnection.spec.vaas.apiKey[index].secret¶
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.vaas.apiKey[index].serviceAccountToken¶
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
audiences | []string | Audiences are the intended audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
name | string | The name of the Kubernetes service account. | true |
expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.vaas.apiKey[index].tppOAuth¶
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT". Enum: UsernamePassword, JWT | true |
clientID | string | ClientID is the clientID used to authenticate with TPP. | false |
clientId | string | Deprecated: use clientID instead. | false |
url | string | The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the TPP configuration. | false |
VenafiConnection.spec.vaas.apiKey[index].vcpOAuth¶
VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token.
| Name | Type | Description | Required |
|---|---|---|---|
tenantID | string | TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. | false |
VenafiConnection.spec.vcp¶
| Name | Type | Description | Required |
|---|---|---|---|
accessToken | []object | The list of steps to retrieve the Access Token that will be used to connect to Certificate Manager, SaaS. | false |
apiKey | []object | The list of steps to retrieve the API key that will be used to connect to Certificate Manager, SaaS. | false |
url | string | The URL to connect to the Certificate Manager, SaaS instance. If not set, the default value https://api.venafi.cloud is used. | false |
VenafiConnection.spec.vcp.accessToken[index]¶
| Name | Type | Description | Required |
|---|---|---|---|
hashicorpVaultLDAP | object | HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
privateKeyJWT | object | PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane. | false |
secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
vcpOAuth | object | VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. | false |
VenafiConnection.spec.vcp.accessToken[index].hashicorpVaultLDAP¶
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
ldapPath | string | The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vcp.accessToken[index].hashicorpVaultOAuth¶
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
authPath | string | The login URL used for obtaining the Vault token. Example: /v1/auth/oidc/login | true |
role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vcp.accessToken[index].hashicorpVaultSecret¶
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): imagining that you have stored the username and password for TPP under the keys "username" and "password", you will want to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vcp.accessToken[index].privateKeyJWT¶
PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane.
| Name | Type | Description | Required |
|---|---|---|---|
clientID | string | ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. | true |
VenafiConnection.spec.vcp.accessToken[index].secret¶
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.vcp.accessToken[index].serviceAccountToken¶
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
audiences | []string | Audiences are the intended audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
name | string | The name of the Kubernetes service account. | true |
expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.vcp.accessToken[index].tppOAuth¶
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT". Enum: UsernamePassword, JWT | true |
clientID | string | ClientID is the clientID used to authenticate with TPP. | false |
clientId | string | Deprecated: use clientID instead. | false |
url | string | The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the TPP configuration. | false |
VenafiConnection.spec.vcp.accessToken[index].vcpOAuth¶
VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token.
| Name | Type | Description | Required |
|---|---|---|---|
tenantID | string | TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. | false |
VenafiConnection.spec.vcp.apiKey[index]¶
| Name | Type | Description | Required |
|---|---|---|---|
hashicorpVaultLDAP | object | HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
hashicorpVaultOAuth | object | HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards. | false |
hashicorpVaultSecret | object | HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step. | false |
privateKeyJWT | object | PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane. | false |
secret | object | Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step. | false |
serviceAccountToken | object | ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step. | false |
tppOAuth | object | TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType. | false |
vcpOAuth | object | VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token. | false |
VenafiConnection.spec.vcp.apiKey[index].hashicorpVaultLDAP¶
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
ldapPath | string | The full HTTP path to the secret in Vault. Example: /v1/ldap/static-cred/:role_name or /v1/ldap/creds/:role_name | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vcp.apiKey[index].hashicorpVaultOAuth¶
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource step to provide an OAuth token, which this step uses to authenticate to Vault. The output of this step is a Vault token. This step allows you to use the step HashicorpVaultSecret afterwards.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with HashiCorp Vault. The only supported value is "OIDC". Enum: OIDC | true |
authPath | string | The login URL used for obtaining the Vault token. Example: /v1/auth/oidc/login | true |
role | string | The role defined in Vault that we want to use when authenticating to Vault. | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vcp.apiKey[index].hashicorpVaultSecret¶
HashicorpVaultSecret is a SecretSource step that requires a Vault token in the previous step, either using a step HashicorpVaultOAuth or Secret. It then fetches the requested secrets from Vault for use in the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The fields are Vault keys pointing to the secrets passed to the next SecretSource step. Example 1 (TPP, username and password): imagining that you have stored the username and password for TPP under the keys "username" and "password", you will want to set this field to ["username", "password"]. The username is expected to be given first, the password second. | true |
secretPath | string | The full HTTP path to the secret in Vault. Example: /v1/secret/data/application-team-a/tpp-username-password | true |
url | string | The URL to connect to your HashiCorp Vault instance. | false |
VenafiConnection.spec.vcp.apiKey[index].privateKeyJWT¶
PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. This JWT can typically be used to authenticate to the NGTS Data Plane.
| Name | Type | Description | Required |
|---|---|---|---|
clientID | string | ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. | true |
VenafiConnection.spec.vcp.apiKey[index].secret¶
Secret is a SecretSource step meant to be the first step. It retrieves secret values from a Kubernetes Secret, and passes them to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
fields | []string | The names of the fields we want to extract from the Kubernetes secret. These fields are passed to the next step in the chain. | true |
name | string | The name of the Kubernetes secret. | true |
VenafiConnection.spec.vcp.apiKey[index].serviceAccountToken¶
ServiceAccountToken is a SecretSource step meant to be the first step. It uses the Kubernetes TokenRequest API to retrieve a token for a given service account, and passes it to the next step.
| Name | Type | Description | Required |
|---|---|---|---|
audiences | []string | Audiences are the intended audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences. | true |
name | string | The name of the Kubernetes service account. | true |
expirationSeconds | integer | ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. Format: int64 | false |
VenafiConnection.spec.vcp.apiKey[index].tppOAuth¶
TPPOAuth is a SecretSource step that authenticates to a TPP server. This step is meant to be the last step and requires a prior step that depends on the authInputType.
| Name | Type | Description | Required |
|---|---|---|---|
authInputType | enum | AuthInputType is the authentication method to be used to authenticate with TPP. The supported values are "UsernamePassword" and "JWT". Enum: UsernamePassword, JWT | true |
clientID | string | ClientID is the clientID used to authenticate with TPP. | false |
clientId | string | Deprecated: use clientID instead. | false |
url | string | The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs https://tpp.example.com and https://tpp.example.com/vedsdk are equivalent. The ending /vedsdk is optional and is stripped out by our client. If not set, defaults to the URL defined at the top-level of the TPP configuration. | false |
VenafiConnection.spec.vcp.apiKey[index].vcpOAuth¶
VCPOAuth is a SecretSource step that authenticates to the Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step that outputs a JWT token.
| Name | Type | Description | Required |
|---|---|---|---|
tenantID | string | TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. | false |
VenafiConnection.status¶
| Name | Type | Description | Required |
|---|---|---|---|
conditions | []object | List of status conditions to indicate the status of a VenafiConnection. | false |
VenafiConnection.status.conditions[index]¶
ConnectionCondition contains condition information for a VenafiConnection.
| Name | Type | Description | Required |
|---|---|---|---|
status | string | Status of the condition, one of (True, False, Unknown). | true |
type | string | Type of the condition, should be a combination of the unique name of the operator and the type of condition. eg. VenafiEnhancedIssuerReady | true |
lastTransitionTime | string | LastTransitionTime is the timestamp corresponding to the last status change of this condition. Format: date-time | false |
lastUpdateTime | string | lastUpdateTime is the time of the last update to this condition Format: date-time | false |
message | string | Message is a human readable description of the details of the last transition, complementing reason. | false |
observedGeneration | integer | If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. Format: int64 | false |
reason | string | Reason is a brief machine readable explanation for the condition's last transition. | false |
tokenValidUntil | string | The ValidUntil time of the token used to authenticate with the Certificate Manager, SaaS. Format: date-time | false |