VPS: support day duration notation for TTL (#990)

Extend the validation pattern to support specifying the certificate TTL duration as days.

api/v1beta1/vaultpkisecret_types.go

@@ -93,7 +93,7 @@ type VaultPKISecretSpec struct {
 	// not when generating a CSR for an intermediate CA.
 	// Should be in duration notation e.g. 120s, 2h, etc.
 	// +kubebuilder:validation:Type=string
-	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h))$`
+	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h|d))$`
 	TTL string `json:"ttl,omitempty"`
 
 	// Format for the certificate. Choices: "pem", "der", "pem_bundle".

api/v1beta1/vaultstaticsecret_types.go

@@ -48,7 +48,7 @@ type VaultStaticSecretSpec struct {
 	// not support dynamically reloading a rotated secret.
 	// In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
 	// trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
-	// All configured targets wil be ignored if HMACSecretData is set to false.
+	// All configured targets will be ignored if HMACSecretData is set to false.
 	// See RolloutRestartTarget for more details.
 	RolloutRestartTargets []RolloutRestartTarget `json:"rolloutRestartTargets,omitempty"`
 	// Destination provides configuration necessary for syncing the Vault secret to Kubernetes.

chart/crds/secrets.hashicorp.com_vaultpkisecrets.yaml

@@ -316,7 +316,7 @@ spec:
                   Note: this only has an effect when generating a CA cert or signing a CA cert,
                   not when generating a CSR for an intermediate CA.
                   Should be in duration notation e.g. 120s, 2h, etc.
-                pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$
+                pattern: ^([0-9]+(\.[0-9]+)?(s|m|h|d))$
                 type: string
               uriSans:
                 description: The requested URI SANs.

chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml

@@ -222,7 +222,7 @@ spec:
                   not support dynamically reloading a rotated secret.
                   In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
                   trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
-                  All configured targets wil be ignored if HMACSecretData is set to false.
+                  All configured targets will be ignored if HMACSecretData is set to false.
                   See RolloutRestartTarget for more details.
                 items:
                   description: |-

config/crd/bases/secrets.hashicorp.com_vaultpkisecrets.yaml

@@ -316,7 +316,7 @@ spec:
                   Note: this only has an effect when generating a CA cert or signing a CA cert,
                   not when generating a CSR for an intermediate CA.
                   Should be in duration notation e.g. 120s, 2h, etc.
-                pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$
+                pattern: ^([0-9]+(\.[0-9]+)?(s|m|h|d))$
                 type: string
               uriSans:
                 description: The requested URI SANs.

config/crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml

@@ -222,7 +222,7 @@ spec:
                   not support dynamically reloading a rotated secret.
                   In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
                   trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
-                  All configured targets wil be ignored if HMACSecretData is set to false.
+                  All configured targets will be ignored if HMACSecretData is set to false.
                   See RolloutRestartTarget for more details.
                 items:
                   description: |-

docs/api/api-reference.md

@@ -1073,7 +1073,7 @@ _Appears in:_
 | `uriSans` _string array_ | The requested URI SANs. |  |  |
 | `otherSans` _string array_ | Requested other SANs, in an array with the format<br />oid;type:value for each entry. |  |  |
 | `userIDs` _string array_ | User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the<br />signed certificate. |  |  |
-| `ttl` _string_ | TTL for the certificate; sets the expiration date.<br />If not specified the Vault role's default,<br />backend default, or system default TTL is used, in that order.<br />Cannot be larger than the mount's max TTL.<br />Note: this only has an effect when generating a CA cert or signing a CA cert,<br />not when generating a CSR for an intermediate CA.<br />Should be in duration notation e.g. 120s, 2h, etc. |  | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$` <br />Type: string <br /> |
+| `ttl` _string_ | TTL for the certificate; sets the expiration date.<br />If not specified the Vault role's default,<br />backend default, or system default TTL is used, in that order.<br />Cannot be larger than the mount's max TTL.<br />Note: this only has an effect when generating a CA cert or signing a CA cert,<br />not when generating a CSR for an intermediate CA.<br />Should be in duration notation e.g. 120s, 2h, etc. |  | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h|d))$` <br />Type: string <br /> |
 | `format` _string_ | Format for the certificate. Choices: "pem", "der", "pem_bundle".<br />If "pem_bundle",<br />any private key and issuing cert will be appended to the certificate pem.<br />If "der", the value will be base64 encoded.<br />Default: pem |  |  |
 | `privateKeyFormat` _string_ | PrivateKeyFormat, generally the default will be controlled by the Format<br />parameter as either base64-encoded DER or PEM-encoded DER.<br />However, this can be set to "pkcs8" to have the returned<br />private key contain base64-encoded pkcs8 or PEM-encoded<br />pkcs8 instead.<br />Default: der |  |  |
 | `notAfter` _string_ | NotAfter field of the certificate with specified date value.<br />The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ |  |  |
@@ -1178,7 +1178,7 @@ _Appears in:_
 | `type` _string_ | Type of the Vault static secret |  | Enum: [kv-v1 kv-v2] <br /> |
 | `refreshAfter` _string_ | RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h |  | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$` <br />Type: string <br /> |
 | `hmacSecretData` _boolean_ | HMACSecretData determines whether the Operator computes the<br />HMAC of the Secret's data. The MAC value will be stored in<br />the resource's Status.SecretMac field, and will be used for drift detection<br />and during incoming Vault secret comparison.<br />Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault. | true |  |
-| `rolloutRestartTargets` _[RolloutRestartTarget](#rolloutrestarttarget) array_ | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does<br />not support dynamically reloading a rotated secret.<br />In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will<br />trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.<br />All configured targets wil be ignored if HMACSecretData is set to false.<br />See RolloutRestartTarget for more details. |  |  |
+| `rolloutRestartTargets` _[RolloutRestartTarget](#rolloutrestarttarget) array_ | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does<br />not support dynamically reloading a rotated secret.<br />In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will<br />trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.<br />All configured targets will be ignored if HMACSecretData is set to false.<br />See RolloutRestartTarget for more details. |  |  |
 | `destination` _[Destination](#destination)_ | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. |  |  |
 | `syncConfig` _[SyncConfig](#syncconfig)_ | SyncConfig configures sync behavior from Vault to VSO |  |  |