kcr_secrets_stackable_tech 3.20260118.73317

Kubernetes Custom Resource Bindings
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331

// WARNING: generated by kopium - manual changes will be overwritten
// kopium command: kopium --docs --derive=Default --derive=PartialEq --smart-derive-elision --filename crd-catalog/stackabletech/secret-operator/secrets.stackable.tech/v1alpha1/secretclasses.yaml
// kopium version: 0.22.5

#[allow(unused_imports)]
mod prelude {
    pub use kube::CustomResource;
    pub use serde::{Serialize, Deserialize};
}
use self::prelude::*;

/// A [SecretClass](<https://docs.stackable.tech/home/nightly/secret-operator/secretclass)> is a cluster-global Kubernetes resource that defines a category of secrets that the Secret Operator knows how to provision.
#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
#[kube(group = "secrets.stackable.tech", version = "v1alpha1", kind = "SecretClass", plural = "secretclasses")]
#[kube(schema = "disabled")]
#[kube(derive="Default")]
#[kube(derive="PartialEq")]
pub struct SecretClassSpec {
    /// Each SecretClass is associated with a single [backend](<https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend),> which dictates the mechanism for issuing that kind of Secret.
    pub backend: SecretClassBackend,
}

/// Each SecretClass is associated with a single [backend](<https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend),> which dictates the mechanism for issuing that kind of Secret.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackend {
    /// The [`autoTls` backend](<https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-autotls)> issues a TLS certificate signed by the Secret Operator. The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator.
    /// 
    /// A new certificate and key pair will be generated and signed for each Pod, keys or certificates are never reused.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "autoTls")]
    pub auto_tls: Option<SecretClassBackendAutoTls>,
    /// The [`experimentalCertManager` backend][1] injects a TLS certificate issued by [cert-manager](<https://cert-manager.io/).>
    /// 
    /// A new certificate will be requested the first time it is used by a Pod, it will be reused after that (subject to cert-manager renewal rules).
    /// 
    /// [1]: <https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-certmanager>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "experimentalCertManager")]
    pub experimental_cert_manager: Option<SecretClassBackendExperimentalCertManager>,
    /// The [`k8sSearch` backend](<https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-k8ssearch)> can be used to mount Secrets across namespaces into Pods.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "k8sSearch")]
    pub k8s_search: Option<SecretClassBackendK8sSearch>,
    /// The [`kerberosKeytab` backend](<https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-kerberoskeytab)> creates a Kerberos keytab file for a selected realm. The Kerberos KDC and administrator credentials must be provided by the administrator.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "kerberosKeytab")]
    pub kerberos_keytab: Option<SecretClassBackendKerberosKeytab>,
}

/// The [`autoTls` backend](<https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-autotls)> issues a TLS certificate signed by the Secret Operator. The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator.
/// 
/// A new certificate and key pair will be generated and signed for each Pod, keys or certificates are never reused.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendAutoTls {
    /// Additional trust roots which are added to the provided `ca.crt` file.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "additionalTrustRoots")]
    pub additional_trust_roots: Option<Vec<SecretClassBackendAutoTlsAdditionalTrustRoots>>,
    /// Configures the certificate authority used to issue Pod certificates.
    pub ca: SecretClassBackendAutoTlsCa,
    /// Maximum lifetime the created certificates are allowed to have. In case consumers request a longer lifetime than allowed by this setting, the lifetime will be the minimum of both, so this setting takes precedence. The default value is 15 days.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxCertificateLifetime")]
    pub max_certificate_lifetime: Option<String>,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendAutoTlsAdditionalTrustRoots {
    /// Reference (name and namespace) to a Kubernetes ConfigMap object where additional certificates are stored. The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "configMap")]
    pub config_map: Option<SecretClassBackendAutoTlsAdditionalTrustRootsConfigMap>,
    /// Reference (name and namespace) to a Kubernetes Secret object where additional certificates are stored. The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER certificate.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub secret: Option<SecretClassBackendAutoTlsAdditionalTrustRootsSecret>,
}

/// Reference (name and namespace) to a Kubernetes ConfigMap object where additional certificates are stored. The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER certificate.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendAutoTlsAdditionalTrustRootsConfigMap {
    /// Name of the ConfigMap being referred to.
    pub name: String,
    /// Namespace of the ConfigMap being referred to.
    pub namespace: String,
}

/// Reference (name and namespace) to a Kubernetes Secret object where additional certificates are stored. The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER certificate.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendAutoTlsAdditionalTrustRootsSecret {
    /// Name of the Secret being referred to.
    pub name: String,
    /// Namespace of the Secret being referred to.
    pub namespace: String,
}

/// Configures the certificate authority used to issue Pod certificates.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendAutoTlsCa {
    /// Whether the certificate authority should be managed by Secret Operator, including being generated if it does not already exist.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "autoGenerate")]
    pub auto_generate: Option<bool>,
    /// The lifetime of each generated certificate authority.
    /// 
    /// Should always be more than double `maxCertificateLifetime`.
    /// 
    /// If `autoGenerate: true` then the Secret Operator will prepare a new CA certificate the old CA approaches expiration. If `autoGenerate: false` then the Secret Operator will log a warning instead.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caCertificateLifetime")]
    pub ca_certificate_lifetime: Option<String>,
    /// The algorithm used to generate a key pair and required configuration settings. Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "keyGeneration")]
    pub key_generation: Option<SecretClassBackendAutoTlsCaKeyGeneration>,
    /// Reference (name and namespace) to a Kubernetes Secret object where the CA certificate and key is stored in the keys `ca.crt` and `ca.key` respectively.
    pub secret: SecretClassBackendAutoTlsCaSecret,
}

/// The algorithm used to generate a key pair and required configuration settings. Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendAutoTlsCaKeyGeneration {
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub rsa: Option<SecretClassBackendAutoTlsCaKeyGenerationRsa>,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendAutoTlsCaKeyGenerationRsa {
    /// The amount of bits used for generating the RSA keypair. Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits.
    pub length: i64,
}

#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretClassBackendAutoTlsCaKeyGenerationRsaLength {
    #[serde(rename = "2048")]
    r#_2048,
    #[serde(rename = "3072")]
    r#_3072,
    #[serde(rename = "4096")]
    r#_4096,
}

/// Reference (name and namespace) to a Kubernetes Secret object where the CA certificate and key is stored in the keys `ca.crt` and `ca.key` respectively.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendAutoTlsCaSecret {
    /// Name of the Secret being referred to.
    pub name: String,
    /// Namespace of the Secret being referred to.
    pub namespace: String,
}

/// The [`experimentalCertManager` backend][1] injects a TLS certificate issued by [cert-manager](<https://cert-manager.io/).>
/// 
/// A new certificate will be requested the first time it is used by a Pod, it will be reused after that (subject to cert-manager renewal rules).
/// 
/// [1]: <https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-certmanager>
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretClassBackendExperimentalCertManager {
    /// The default lifetime of certificates.
    /// 
    /// Defaults to 1 day. This may need to be increased for external issuers that impose rate limits (such as Let's Encrypt).
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultCertificateLifetime")]
    pub default_certificate_lifetime: Option<String>,
    /// A reference to the cert-manager issuer that the certificates should be requested from.
    pub issuer: SecretClassBackendExperimentalCertManagerIssuer,
    /// The algorithm used to generate a key pair and required configuration settings. Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "keyGeneration")]
    pub key_generation: Option<SecretClassBackendExperimentalCertManagerKeyGeneration>,
}

/// A reference to the cert-manager issuer that the certificates should be requested from.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretClassBackendExperimentalCertManagerIssuer {
    /// The kind of the issuer, Issuer or ClusterIssuer.
    /// 
    /// If Issuer then it must be in the same namespace as the Pods using it.
    pub kind: SecretClassBackendExperimentalCertManagerIssuerKind,
    /// The name of the issuer.
    pub name: String,
}

/// A reference to the cert-manager issuer that the certificates should be requested from.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretClassBackendExperimentalCertManagerIssuerKind {
    Issuer,
    ClusterIssuer,
}

/// The algorithm used to generate a key pair and required configuration settings. Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendExperimentalCertManagerKeyGeneration {
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub rsa: Option<SecretClassBackendExperimentalCertManagerKeyGenerationRsa>,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendExperimentalCertManagerKeyGenerationRsa {
    /// The amount of bits used for generating the RSA keypair. Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits.
    pub length: i64,
}

#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretClassBackendExperimentalCertManagerKeyGenerationRsaLength {
    #[serde(rename = "2048")]
    r#_2048,
    #[serde(rename = "3072")]
    r#_3072,
    #[serde(rename = "4096")]
    r#_4096,
}

/// The [`k8sSearch` backend](<https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-k8ssearch)> can be used to mount Secrets across namespaces into Pods.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendK8sSearch {
    /// Configures the namespace searched for Secret objects.
    #[serde(rename = "searchNamespace")]
    pub search_namespace: SecretClassBackendK8sSearchSearchNamespace,
    /// Name of a ConfigMap that contains the information required to validate against this SecretClass.
    /// 
    /// Resolved relative to `search_namespace`.
    /// 
    /// Required to request a TrustStore for this SecretClass.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "trustStoreConfigMapName")]
    pub trust_store_config_map_name: Option<String>,
}

/// Configures the namespace searched for Secret objects.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendK8sSearchSearchNamespace {
    /// The Secret objects are located in a single global namespace. Should be used for secrets that are provisioned by the cluster administrator.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The Secret objects are located in the same namespace as the Pod object. Should be used for Secrets that are provisioned by the application administrator.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub pod: Option<SecretClassBackendK8sSearchSearchNamespacePod>,
}

/// The Secret objects are located in the same namespace as the Pod object. Should be used for Secrets that are provisioned by the application administrator.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendK8sSearchSearchNamespacePod {
}

/// The [`kerberosKeytab` backend](<https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-kerberoskeytab)> creates a Kerberos keytab file for a selected realm. The Kerberos KDC and administrator credentials must be provided by the administrator.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendKerberosKeytab {
    /// Kerberos admin configuration settings.
    pub admin: SecretClassBackendKerberosKeytabAdmin,
    /// Reference (`name` and `namespace`) to a K8s Secret object where a keytab with administrative privileges is stored in the key `keytab`.
    #[serde(rename = "adminKeytabSecret")]
    pub admin_keytab_secret: SecretClassBackendKerberosKeytabAdminKeytabSecret,
    /// The admin principal.
    #[serde(rename = "adminPrincipal")]
    pub admin_principal: String,
    /// The hostname of the Kerberos Key Distribution Center (KDC). This should be provided by the Kerberos administrator.
    pub kdc: String,
    /// The name of the Kerberos realm. This should be provided by the Kerberos administrator.
    #[serde(rename = "realmName")]
    pub realm_name: String,
}

/// Kerberos admin configuration settings.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendKerberosKeytabAdmin {
    /// Credentials should be provisioned in a Microsoft Active Directory domain.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "activeDirectory")]
    pub active_directory: Option<SecretClassBackendKerberosKeytabAdminActiveDirectory>,
    /// Credentials should be provisioned in a MIT Kerberos Admin Server.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub mit: Option<SecretClassBackendKerberosKeytabAdminMit>,
}

/// Credentials should be provisioned in a Microsoft Active Directory domain.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendKerberosKeytabAdminActiveDirectory {
    /// Allows samAccountName generation for new accounts to be customized. Note that setting this field (even if empty) makes the Secret Operator take over the generation duty from the domain controller.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "experimentalGenerateSamAccountName")]
    pub experimental_generate_sam_account_name: Option<SecretClassBackendKerberosKeytabAdminActiveDirectoryExperimentalGenerateSamAccountName>,
    /// An AD LDAP server, such as the AD Domain Controller. This must match the server’s FQDN, or GSSAPI authentication will fail.
    #[serde(rename = "ldapServer")]
    pub ldap_server: String,
    /// Reference (name and namespace) to a Kubernetes Secret object containing the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against.
    #[serde(rename = "ldapTlsCaSecret")]
    pub ldap_tls_ca_secret: SecretClassBackendKerberosKeytabAdminActiveDirectoryLdapTlsCaSecret,
    /// Reference (name and namespace) to a Kubernetes Secret object where workload passwords will be stored. This must not be accessible to end users.
    #[serde(rename = "passwordCacheSecret")]
    pub password_cache_secret: SecretClassBackendKerberosKeytabAdminActiveDirectoryPasswordCacheSecret,
    /// The root Distinguished Name (DN) for AD-managed schemas, typically `CN=Schema,CN=Configuration,{domain_dn}`.
    #[serde(rename = "schemaDistinguishedName")]
    pub schema_distinguished_name: String,
    /// The root Distinguished Name (DN) where service accounts should be provisioned, typically `CN=Users,{domain_dn}`.
    #[serde(rename = "userDistinguishedName")]
    pub user_distinguished_name: String,
}

/// Allows samAccountName generation for new accounts to be customized. Note that setting this field (even if empty) makes the Secret Operator take over the generation duty from the domain controller.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendKerberosKeytabAdminActiveDirectoryExperimentalGenerateSamAccountName {
    /// A prefix to be prepended to generated samAccountNames.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub prefix: Option<String>,
    /// The total length of generated samAccountNames, _including_ `prefix`. Must be larger than the length of `prefix`, but at most `20`.
    /// 
    /// Note that this should be as large as possible, to minimize the risk of collisions.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "totalLength")]
    pub total_length: Option<u8>,
}

/// Reference (name and namespace) to a Kubernetes Secret object containing the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendKerberosKeytabAdminActiveDirectoryLdapTlsCaSecret {
    /// Name of the Secret being referred to.
    pub name: String,
    /// Namespace of the Secret being referred to.
    pub namespace: String,
}

/// Reference (name and namespace) to a Kubernetes Secret object where workload passwords will be stored. This must not be accessible to end users.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendKerberosKeytabAdminActiveDirectoryPasswordCacheSecret {
    /// Name of the Secret being referred to.
    pub name: String,
    /// Namespace of the Secret being referred to.
    pub namespace: String,
}

/// Credentials should be provisioned in a MIT Kerberos Admin Server.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendKerberosKeytabAdminMit {
    /// The hostname of the Kerberos Admin Server. This should be provided by the Kerberos administrator.
    #[serde(rename = "kadminServer")]
    pub kadmin_server: String,
}

/// Reference (`name` and `namespace`) to a K8s Secret object where a keytab with administrative privileges is stored in the key `keytab`.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretClassBackendKerberosKeytabAdminKeytabSecret {
    /// Name of the Secret being referred to.
    pub name: String,
    /// Namespace of the Secret being referred to.
    pub namespace: String,
}