mirror of
https://github.com/philippemerle/KubeDiagrams.git
synced 2026-02-14 18:09:52 +00:00
181 lines
4.3 KiB
YAML
181 lines
4.3 KiB
YAML
# Source: https://developer.hashicorp.com/vault/docs/deploy/kubernetes/vso/sources/vault
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultConnection
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-connection
|
|
spec:
|
|
# required configuration
|
|
# address to the Vault server.
|
|
address: http://vault.vault.svc.cluster.local:8200
|
|
|
|
# optional configuration
|
|
# HTTP headers to be included in all Vault requests.
|
|
# headers: []
|
|
# TLS server name to use as the SNI host for TLS connections.
|
|
# tlsServerName: ""
|
|
# skip TLS verification for TLS connections to Vault.
|
|
# skipTLSVerify: false
|
|
# the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
|
|
# caCertSecretRef: ""
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-auth
|
|
spec:
|
|
# required configuration
|
|
# VaultConnectionRef of the corresponding VaultConnection CustomResource.
|
|
# If no value is specified the Operator will default to the `default` VaultConnection,
|
|
# configured in its own Kubernetes namespace.
|
|
vaultConnectionRef: vault-connection
|
|
# Method to use when authenticating to Vault.
|
|
method: kubernetes
|
|
# Mount to use when authenticating to auth method.
|
|
mount: kubernetes
|
|
# Kubernetes specific auth configuration, requires that the Method be set to kubernetes.
|
|
kubernetes:
|
|
# role to use when authenticating to Vault
|
|
role: example
|
|
# ServiceAccount to use when authenticating to Vault
|
|
# it is recommended to always provide a unique serviceAccount per Pod/application
|
|
serviceAccount: default
|
|
|
|
# optional configuration
|
|
# Vault namespace where the auth backend is mounted (requires Vault Enterprise)
|
|
# namespace: ""
|
|
# Params to use when authenticating to Vault
|
|
# params: []
|
|
# HTTP headers to be included in all Vault authentication requests.
|
|
# headers: []
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuthGlobal
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-auth-global
|
|
spec:
|
|
defaultAuthMethod: kubernetes
|
|
kubernetes:
|
|
audiences:
|
|
- vault
|
|
mount: kubernetes
|
|
namespace: example-ns
|
|
role: auth-role
|
|
serviceAccount: default
|
|
tokenExpirationSeconds: 600
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-auth2
|
|
spec:
|
|
vaultAuthGlobalRef:
|
|
name: vault-auth-global
|
|
kubernetes:
|
|
role: local-role
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-static-secret-v1
|
|
spec:
|
|
vaultAuthRef: vault-auth
|
|
mount: kvv1
|
|
type: kv-v1
|
|
path: eng/apikey/google
|
|
refreshAfter: 60s
|
|
destination:
|
|
create: true
|
|
name: static-secret1
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-static-secret-v2
|
|
spec:
|
|
vaultAuthRef: vault-auth
|
|
mount: kvv2
|
|
type: kv-v2
|
|
path: eng/apikey/google
|
|
version: 2
|
|
refreshAfter: 60s
|
|
destination:
|
|
create: true
|
|
name: static-secret2
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultPKISecret
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-pki
|
|
spec:
|
|
vaultAuthRef: vault-auth
|
|
mount: pki
|
|
role: default
|
|
commonName: example.com
|
|
format: pem
|
|
expiryOffset: 1s
|
|
ttl: 60s
|
|
namespace: tenant-1
|
|
destination:
|
|
create: true
|
|
name: pki1
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultDynamicSecret
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-dynamic-secret-db
|
|
spec:
|
|
vaultAuthRef: vault-auth
|
|
mount: db
|
|
path: creds/my-postgresql-role
|
|
destination:
|
|
create: true
|
|
name: dynamic-db
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultDynamicSecret
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-dynamic-secret-aws-iam
|
|
spec:
|
|
vaultAuthRef: vault-auth
|
|
mount: aws
|
|
path: creds/my-iam-role
|
|
destination:
|
|
create: true
|
|
name: dynamic-aws-iam
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultDynamicSecret
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-dynamic-secret-aws-sts
|
|
spec:
|
|
vaultAuthRef: vault-auth
|
|
mount: aws
|
|
path: sts/my-sts-role
|
|
destination:
|
|
create: true
|
|
name: dynamic-aws-sts
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultDynamicSecret
|
|
metadata:
|
|
namespace: vso-example
|
|
name: vault-dynamic-secret-aws-iam-role
|
|
spec:
|
|
vaultAuthRef: vault-auth
|
|
mount: aws
|
|
path: creds/my-iam-role
|
|
destination:
|
|
create: true
|
|
name: dynamic-aws-iam-role
|