Skip to content

Commit

Permalink
VPS: support day duration notation for TTL
Browse files Browse the repository at this point in the history
Extend the validation pattern to support specifying the certificate TTL duration as days.
  • Loading branch information
benashz committed Dec 18, 2024
1 parent 7a1af6f commit 3bfee84
Show file tree
Hide file tree
Showing 7 changed files with 8 additions and 8 deletions.
2 changes: 1 addition & 1 deletion api/v1beta1/vaultpkisecret_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ type VaultPKISecretSpec struct {
// not when generating a CSR for an intermediate CA.
// Should be in duration notation e.g. 120s, 2h, etc.
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h))$`
// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h|d))$`
TTL string `json:"ttl,omitempty"`

// Format for the certificate. Choices: "pem", "der", "pem_bundle".
Expand Down
2 changes: 1 addition & 1 deletion api/v1beta1/vaultstaticsecret_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ type VaultStaticSecretSpec struct {
// not support dynamically reloading a rotated secret.
// In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
// trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
// All configured targets wil be ignored if HMACSecretData is set to false.
// All configured targets will be ignored if HMACSecretData is set to false.
// See RolloutRestartTarget for more details.
RolloutRestartTargets []RolloutRestartTarget `json:"rolloutRestartTargets,omitempty"`
// Destination provides configuration necessary for syncing the Vault secret to Kubernetes.
Expand Down
2 changes: 1 addition & 1 deletion chart/crds/secrets.hashicorp.com_vaultpkisecrets.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,7 @@ spec:
Note: this only has an effect when generating a CA cert or signing a CA cert,
not when generating a CSR for an intermediate CA.
Should be in duration notation e.g. 120s, 2h, etc.
pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$
pattern: ^([0-9]+(\.[0-9]+)?(s|m|h|d))$
type: string
uriSans:
description: The requested URI SANs.
Expand Down
2 changes: 1 addition & 1 deletion chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,7 @@ spec:
not support dynamically reloading a rotated secret.
In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
All configured targets wil be ignored if HMACSecretData is set to false.
All configured targets will be ignored if HMACSecretData is set to false.
See RolloutRestartTarget for more details.
items:
description: |-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,7 @@ spec:
Note: this only has an effect when generating a CA cert or signing a CA cert,
not when generating a CSR for an intermediate CA.
Should be in duration notation e.g. 120s, 2h, etc.
pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))$
pattern: ^([0-9]+(\.[0-9]+)?(s|m|h|d))$
type: string
uriSans:
description: The requested URI SANs.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,7 @@ spec:
not support dynamically reloading a rotated secret.
In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
All configured targets wil be ignored if HMACSecretData is set to false.
All configured targets will be ignored if HMACSecretData is set to false.
See RolloutRestartTarget for more details.
items:
description: |-
Expand Down
4 changes: 2 additions & 2 deletions docs/api/api-reference.md
Original file line number Diff line number Diff line change
Expand Up @@ -1073,7 +1073,7 @@ _Appears in:_
| `uriSans` _string array_ | The requested URI SANs. | | |
| `otherSans` _string array_ | Requested other SANs, in an array with the format<br />oid;type:value for each entry. | | |
| `userIDs` _string array_ | User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the<br />signed certificate. | | |
| `ttl` _string_ | TTL for the certificate; sets the expiration date.<br />If not specified the Vault role's default,<br />backend default, or system default TTL is used, in that order.<br />Cannot be larger than the mount's max TTL.<br />Note: this only has an effect when generating a CA cert or signing a CA cert,<br />not when generating a CSR for an intermediate CA.<br />Should be in duration notation e.g. 120s, 2h, etc. | | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$` <br />Type: string <br /> |
| `ttl` _string_ | TTL for the certificate; sets the expiration date.<br />If not specified the Vault role's default,<br />backend default, or system default TTL is used, in that order.<br />Cannot be larger than the mount's max TTL.<br />Note: this only has an effect when generating a CA cert or signing a CA cert,<br />not when generating a CSR for an intermediate CA.<br />Should be in duration notation e.g. 120s, 2h, etc. | | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h|d))$` <br />Type: string <br /> |
| `format` _string_ | Format for the certificate. Choices: "pem", "der", "pem_bundle".<br />If "pem_bundle",<br />any private key and issuing cert will be appended to the certificate pem.<br />If "der", the value will be base64 encoded.<br />Default: pem | | |
| `privateKeyFormat` _string_ | PrivateKeyFormat, generally the default will be controlled by the Format<br />parameter as either base64-encoded DER or PEM-encoded DER.<br />However, this can be set to "pkcs8" to have the returned<br />private key contain base64-encoded pkcs8 or PEM-encoded<br />pkcs8 instead.<br />Default: der | | |
| `notAfter` _string_ | NotAfter field of the certificate with specified date value.<br />The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ | | |
Expand Down Expand Up @@ -1178,7 +1178,7 @@ _Appears in:_
| `type` _string_ | Type of the Vault static secret | | Enum: [kv-v1 kv-v2] <br /> |
| `refreshAfter` _string_ | RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h | | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$` <br />Type: string <br /> |
| `hmacSecretData` _boolean_ | HMACSecretData determines whether the Operator computes the<br />HMAC of the Secret's data. The MAC value will be stored in<br />the resource's Status.SecretMac field, and will be used for drift detection<br />and during incoming Vault secret comparison.<br />Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault. | true | |
| `rolloutRestartTargets` _[RolloutRestartTarget](#rolloutrestarttarget) array_ | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does<br />not support dynamically reloading a rotated secret.<br />In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will<br />trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.<br />All configured targets wil be ignored if HMACSecretData is set to false.<br />See RolloutRestartTarget for more details. | | |
| `rolloutRestartTargets` _[RolloutRestartTarget](#rolloutrestarttarget) array_ | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does<br />not support dynamically reloading a rotated secret.<br />In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will<br />trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.<br />All configured targets will be ignored if HMACSecretData is set to false.<br />See RolloutRestartTarget for more details. | | |
| `destination` _[Destination](#destination)_ | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. | | |
| `syncConfig` _[SyncConfig](#syncconfig)_ | SyncConfig configures sync behavior from Vault to VSO | | |

Expand Down

0 comments on commit 3bfee84

Please sign in to comment.