From 3bfee849ffacf50731bee9986b9990e711b84c13 Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Wed, 18 Dec 2024 11:02:50 -0500 Subject: [PATCH] VPS: support day duration notation for TTL Extend the validation pattern to support specifying the certificate TTL duration as days. --- api/v1beta1/vaultpkisecret_types.go | 2 +- api/v1beta1/vaultstaticsecret_types.go | 2 +- chart/crds/secrets.hashicorp.com_vaultpkisecrets.yaml | 2 +- chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml | 2 +- config/crd/bases/secrets.hashicorp.com_vaultpkisecrets.yaml | 2 +- .../crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml | 2 +- docs/api/api-reference.md | 4 ++-- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/api/v1beta1/vaultpkisecret_types.go b/api/v1beta1/vaultpkisecret_types.go index 6ed5b465..e0ae0880 100644 --- a/api/v1beta1/vaultpkisecret_types.go +++ b/api/v1beta1/vaultpkisecret_types.go @@ -93,7 +93,7 @@ type VaultPKISecretSpec struct { // not when generating a CSR for an intermediate CA. // Should be in duration notation e.g. 120s, 2h, etc. // +kubebuilder:validation:Type=string - // +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h))$` + // +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h|d))$` TTL string `json:"ttl,omitempty"` // Format for the certificate. Choices: "pem", "der", "pem_bundle". diff --git a/api/v1beta1/vaultstaticsecret_types.go b/api/v1beta1/vaultstaticsecret_types.go index 65821915..e1b95ed1 100644 --- a/api/v1beta1/vaultstaticsecret_types.go +++ b/api/v1beta1/vaultstaticsecret_types.go @@ -48,7 +48,7 @@ type VaultStaticSecretSpec struct { // not support dynamically reloading a rotated secret. // In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will // trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. - // All configured targets wil be ignored if HMACSecretData is set to false. + // All configured targets will be ignored if HMACSecretData is set to false. // See RolloutRestartTarget for more details. RolloutRestartTargets []RolloutRestartTarget `json:"rolloutRestartTargets,omitempty"` // Destination provides configuration necessary for syncing the Vault secret to Kubernetes. diff --git a/chart/crds/secrets.hashicorp.com_vaultpkisecrets.yaml b/chart/crds/secrets.hashicorp.com_vaultpkisecrets.yaml index 80625f36..cb879c2a 100644 --- a/chart/crds/secrets.hashicorp.com_vaultpkisecrets.yaml +++ b/chart/crds/secrets.hashicorp.com_vaultpkisecrets.yaml @@ -316,7 +316,7 @@ spec: Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA. Should be in duration notation e.g. 120s, 2h, etc. - pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$ + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h|d))$ type: string uriSans: description: The requested URI SANs. diff --git a/chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml b/chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml index ae65431d..f916e222 100644 --- a/chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml +++ b/chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml @@ -222,7 +222,7 @@ spec: not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. - All configured targets wil be ignored if HMACSecretData is set to false. + All configured targets will be ignored if HMACSecretData is set to false. See RolloutRestartTarget for more details. items: description: |- diff --git a/config/crd/bases/secrets.hashicorp.com_vaultpkisecrets.yaml b/config/crd/bases/secrets.hashicorp.com_vaultpkisecrets.yaml index 80625f36..cb879c2a 100644 --- a/config/crd/bases/secrets.hashicorp.com_vaultpkisecrets.yaml +++ b/config/crd/bases/secrets.hashicorp.com_vaultpkisecrets.yaml @@ -316,7 +316,7 @@ spec: Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA. Should be in duration notation e.g. 120s, 2h, etc. - pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$ + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h|d))$ type: string uriSans: description: The requested URI SANs. diff --git a/config/crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml b/config/crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml index ae65431d..f916e222 100644 --- a/config/crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml +++ b/config/crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml @@ -222,7 +222,7 @@ spec: not support dynamically reloading a rotated secret. In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events. - All configured targets wil be ignored if HMACSecretData is set to false. + All configured targets will be ignored if HMACSecretData is set to false. See RolloutRestartTarget for more details. items: description: |- diff --git a/docs/api/api-reference.md b/docs/api/api-reference.md index 96d31cbc..43c734fe 100644 --- a/docs/api/api-reference.md +++ b/docs/api/api-reference.md @@ -1073,7 +1073,7 @@ _Appears in:_ | `uriSans` _string array_ | The requested URI SANs. | | | | `otherSans` _string array_ | Requested other SANs, in an array with the format
oid;type:value for each entry. | | | | `userIDs` _string array_ | User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the
signed certificate. | | | -| `ttl` _string_ | TTL for the certificate; sets the expiration date.
If not specified the Vault role's default,
backend default, or system default TTL is used, in that order.
Cannot be larger than the mount's max TTL.
Note: this only has an effect when generating a CA cert or signing a CA cert,
not when generating a CSR for an intermediate CA.
Should be in duration notation e.g. 120s, 2h, etc. | | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$`
Type: string
| +| `ttl` _string_ | TTL for the certificate; sets the expiration date.
If not specified the Vault role's default,
backend default, or system default TTL is used, in that order.
Cannot be larger than the mount's max TTL.
Note: this only has an effect when generating a CA cert or signing a CA cert,
not when generating a CSR for an intermediate CA.
Should be in duration notation e.g. 120s, 2h, etc. | | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h|d))$`
Type: string
| | `format` _string_ | Format for the certificate. Choices: "pem", "der", "pem_bundle".
If "pem_bundle",
any private key and issuing cert will be appended to the certificate pem.
If "der", the value will be base64 encoded.
Default: pem | | | | `privateKeyFormat` _string_ | PrivateKeyFormat, generally the default will be controlled by the Format
parameter as either base64-encoded DER or PEM-encoded DER.
However, this can be set to "pkcs8" to have the returned
private key contain base64-encoded pkcs8 or PEM-encoded
pkcs8 instead.
Default: der | | | | `notAfter` _string_ | NotAfter field of the certificate with specified date value.
The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ | | | @@ -1178,7 +1178,7 @@ _Appears in:_ | `type` _string_ | Type of the Vault static secret | | Enum: [kv-v1 kv-v2]
| | `refreshAfter` _string_ | RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h | | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$`
Type: string
| | `hmacSecretData` _boolean_ | HMACSecretData determines whether the Operator computes the
HMAC of the Secret's data. The MAC value will be stored in
the resource's Status.SecretMac field, and will be used for drift detection
and during incoming Vault secret comparison.
Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault. | true | | -| `rolloutRestartTargets` _[RolloutRestartTarget](#rolloutrestarttarget) array_ | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does
not support dynamically reloading a rotated secret.
In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
All configured targets wil be ignored if HMACSecretData is set to false.
See RolloutRestartTarget for more details. | | | +| `rolloutRestartTargets` _[RolloutRestartTarget](#rolloutrestarttarget) array_ | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does
not support dynamically reloading a rotated secret.
In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
All configured targets will be ignored if HMACSecretData is set to false.
See RolloutRestartTarget for more details. | | | | `destination` _[Destination](#destination)_ | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. | | | | `syncConfig` _[SyncConfig](#syncconfig)_ | SyncConfig configures sync behavior from Vault to VSO | | |