diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml index d4179765b2e..b0e0e05cf5c 100644 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -76,6 +76,5 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" diff --git a/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml b/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml index 37248a5956c..b37f2841a19 100644 --- a/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml @@ -23,8 +23,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-encryption-key + vaultKeyPath: transit/keys/my-encryption-key expected: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -43,8 +42,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-encryption-key + vaultKeyPath: transit/keys/my-encryption-key - name: Should accept kmsPluginImage with simple two-level path like quay.io/vault/kms-plugin initial: | @@ -63,8 +61,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-encryption-key + vaultKeyPath: transit/keys/my-encryption-key expected: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -83,8 +80,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-encryption-key + vaultKeyPath: transit/keys/my-encryption-key - name: Should be able to create with full Vault KMS Plugin config including all optional fields initial: | @@ -99,6 +95,7 @@ tests: kmsPluginImage: registry.example.com/hashicorp/vault-plugin@sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890 vaultAddress: https://vault.prod.example.com:8200 vaultNamespace: my-team + vaultAuthNamespace: central-auth tls: caBundle: name: vault-ca-bundle @@ -108,8 +105,7 @@ tests: appRole: secret: name: vault-approle-credentials - transitMount: custom/transit/path - transitKey: production-encryption-key + vaultKeyPath: custom/transit/path/keys/production-encryption-key expected: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -124,6 +120,7 @@ tests: kmsPluginImage: registry.example.com/hashicorp/vault-plugin@sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890 vaultAddress: https://vault.prod.example.com:8200 vaultNamespace: my-team + vaultAuthNamespace: central-auth tls: caBundle: name: vault-ca-bundle @@ -133,8 +130,7 @@ tests: appRole: secret: name: vault-approle-credentials - transitMount: custom/transit/path - transitKey: production-encryption-key + vaultKeyPath: custom/transit/path/keys/production-encryption-key # Multi-level namespace path tests - name: Should accept kmsPluginImage with multi-level namespace path @@ -154,8 +150,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-encryption-key + vaultKeyPath: transit/keys/my-encryption-key expected: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -174,8 +169,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-encryption-key + vaultKeyPath: transit/keys/my-encryption-key - name: Should accept kmsPluginImage with deep multi-level namespace path initial: | @@ -194,8 +188,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-encryption-key + vaultKeyPath: transit/keys/my-encryption-key expected: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -214,11 +207,10 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-encryption-key + vaultKeyPath: transit/keys/my-encryption-key - # RFC 3986 unreserved character tests - - name: Should accept transitMount with period character + # vaultKeyPath valid tests + - name: Should accept vaultKeyPath with multi-segment mount initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -235,8 +227,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit.v1 - transitKey: my-key + vaultKeyPath: transit/test/keys/my-key expected: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -255,10 +246,9 @@ tests: appRole: secret: name: vault-approle - transitMount: transit.v1 - transitKey: my-key + vaultKeyPath: transit/test/keys/my-key - - name: Should accept transitMount with tilde character + - name: Should accept vaultKeyPath with mount containing period initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -275,8 +265,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit~backup - transitKey: my-key + vaultKeyPath: transit.v1/keys/my-key expected: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -295,10 +284,9 @@ tests: appRole: secret: name: vault-approle - transitMount: transit~backup - transitKey: my-key + vaultKeyPath: transit.v1/keys/my-key - - name: Should accept transitKey with period character + - name: Should accept vaultKeyPath with mount containing tilde initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -315,8 +303,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: encryption.key.v1 + vaultKeyPath: transit~backup/keys/my-key expected: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -335,10 +322,9 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: encryption.key.v1 + vaultKeyPath: transit~backup/keys/my-key - - name: Should reject transitKey with tilde character + - name: Should accept vaultKeyPath with key containing period initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -355,12 +341,29 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: key~backup - expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores" + vaultKeyPath: transit/keys/encryption.key.v1 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + vaultKeyPath: transit/keys/encryption.key.v1 - # Type validation - vault field must be set when type is Vault - - name: Should reject KMS type Vault without vault config + # vaultKeyPath invalid tests + - name: Should reject vaultKeyPath without /keys/ separator initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -369,10 +372,18 @@ tests: type: KMS kms: type: Vault - expectedError: "vault config is required when kms provider type is Vault" + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + vaultKeyPath: transit/my-key + expectedError: "vaultKeyPath must follow the format /keys/" - # authentication type validation - appRole field must be set when type is AppRole - - name: Should reject authentication type AppRole without appRole config + - name: Should reject vaultKeyPath starting with forward slash initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -386,12 +397,174 @@ tests: vaultAddress: https://vault.example.com:8200 authentication: type: AppRole - transitMount: transit - transitKey: my-key - expectedError: "appRole config is required when authentication type is AppRole" + appRole: + secret: + name: vault-approle + vaultKeyPath: /transit/keys/my-key + expectedError: "vaultKeyPath cannot start with a forward slash" + + - name: Should reject vaultKeyPath ending with forward slash + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + vaultKeyPath: transit/keys/my-key/ + expectedError: "vaultKeyPath cannot end with a forward slash" + + - name: Should reject vaultKeyPath with consecutive forward slashes + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + vaultKeyPath: transit//keys/my-key + expectedError: "vaultKeyPath cannot contain consecutive forward slashes" + + - name: Should reject vaultKeyPath with dot path segment + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + vaultKeyPath: transit/./keys/my-key + expectedError: "vaultKeyPath must not contain '.' or '..' path segments" + + - name: Should reject vaultKeyPath with double-dot path segment + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + vaultKeyPath: transit/../keys/my-key + expectedError: "vaultKeyPath must not contain '.' or '..' path segments" + + - name: Should reject vaultKeyPath with special characters in mount + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + vaultKeyPath: transit@test/keys/my-key + expectedError: "vaultKeyPath must only contain RFC 3986 unreserved characters" - # transitMount required field validation - - name: Should reject Vault KMS config without transitMount + - name: Should reject vaultKeyPath with key name starting with hyphen + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + vaultKeyPath: transit/keys/-bad + expectedError: "vaultKeyPath must follow the format /keys/" + + - name: Should reject vaultKeyPath with key name ending with hyphen + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + vaultKeyPath: transit/keys/bad- + expectedError: "vaultKeyPath must follow the format /keys/" + + - name: Should reject vaultKeyPath with key containing tilde + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + appRole: + secret: + name: vault-approle + vaultKeyPath: transit/keys/key~backup + expectedError: "vaultKeyPath must follow the format /keys/" + + # vaultKeyPath required field validation + - name: Should reject Vault KMS config without vaultKeyPath initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -408,9 +581,38 @@ tests: appRole: secret: name: vault-approle - transitKey: my-key expectedError: "Required value" + # Type validation - vault field must be set when type is Vault + - name: Should reject KMS type Vault without vault config + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + expectedError: "vault config is required when kms provider type is Vault" + + # authentication type validation - appRole field must be set when type is AppRole + - name: Should reject authentication type AppRole without appRole config + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Vault + vault: + kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + vaultAddress: https://vault.example.com:8200 + authentication: + type: AppRole + vaultKeyPath: transit/keys/my-key + expectedError: "appRole config is required when authentication type is AppRole" + # kmsPluginImage validation tests - name: Should reject kmsPluginImage with tag instead of digest initial: | @@ -429,8 +631,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "the OCI Image reference must end with a valid '@sha256:' suffix" - name: Should reject kmsPluginImage without registry hostname @@ -450,8 +651,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "the OCI Image name should follow the host[:port][/namespace]/name format" - name: Should reject kmsPluginImage with invalid digest length @@ -471,8 +671,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" # vaultAddress validation tests @@ -493,8 +692,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "must use the 'https' scheme" - name: Should reject vaultAddress with path @@ -514,8 +712,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "must not contain a path" - name: Should reject vaultAddress with query parameters @@ -535,8 +732,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "must not have a query" - name: Should reject vaultAddress with fragment @@ -556,8 +752,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "must not have a fragment" - name: Should reject vaultAddress with user info @@ -577,8 +772,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "must not have user info" # vaultNamespace validation tests @@ -600,8 +794,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "vaultNamespace cannot end with a forward slash" - name: Should reject vaultNamespace containing spaces @@ -622,8 +815,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "vaultNamespace cannot contain spaces" - name: Should reject vaultNamespace with reserved name root @@ -644,8 +836,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "vaultNamespace cannot be a reserved string" - name: Should reject vaultNamespace with reserved name sys @@ -666,8 +857,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "vaultNamespace cannot be a reserved string" - name: Should reject vaultNamespace with reserved name audit @@ -688,8 +878,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "vaultNamespace cannot be a reserved string" - name: Should reject vaultNamespace with reserved name auth @@ -710,8 +899,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "vaultNamespace cannot be a reserved string" - name: Should reject vaultNamespace with reserved name cubbyhole @@ -732,8 +920,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "vaultNamespace cannot be a reserved string" - name: Should reject vaultNamespace with reserved name identity @@ -754,54 +941,11 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "vaultNamespace cannot be a reserved string" - # transitMount validation tests - - name: Should reject transitMount starting with forward slash - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: Vault - vault: - kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef - vaultAddress: https://vault.example.com:8200 - authentication: - type: AppRole - appRole: - secret: - name: vault-approle - transitMount: /transit - transitKey: my-key - expectedError: "transitMount cannot start with a forward slash" - - - name: Should reject transitMount ending with forward slash - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: Vault - vault: - kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef - vaultAddress: https://vault.example.com:8200 - authentication: - type: AppRole - appRole: - secret: - name: vault-approle - transitMount: transit/ - transitKey: my-key - expectedError: "transitMount cannot end with a forward slash" - - - name: Should reject transitMount containing spaces + # vaultAuthNamespace validation tests + - name: Should accept vaultAuthNamespace with both namespace fields set initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -813,20 +957,20 @@ tests: vault: kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef vaultAddress: https://vault.example.com:8200 + vaultNamespace: transit-ns + vaultAuthNamespace: auth-ns authentication: type: AppRole appRole: secret: name: vault-approle - transitMount: my transit - transitKey: my-key - expectedError: "transitMount must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes" - - - name: Should reject transitMount containing consecutive forward slashes - initial: | + vaultKeyPath: transit/keys/my-key + expected: | apiVersion: config.openshift.io/v1 kind: APIServer spec: + audit: + profile: Default encryption: type: KMS kms: @@ -834,17 +978,16 @@ tests: vault: kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef vaultAddress: https://vault.example.com:8200 + vaultNamespace: transit-ns + vaultAuthNamespace: auth-ns authentication: type: AppRole appRole: secret: name: vault-approle - transitMount: my//transit - transitKey: my-key - expectedError: "transitMount cannot contain consecutive forward slashes" + vaultKeyPath: transit/keys/my-key - # transitKey validation tests - - name: Should reject transitKey containing spaces + - name: Should reject vaultAuthNamespace ending with forward slash initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -856,16 +999,16 @@ tests: vault: kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef vaultAddress: https://vault.example.com:8200 + vaultAuthNamespace: my-auth-ns/ authentication: type: AppRole appRole: secret: name: vault-approle - transitMount: transit - transitKey: my encryption key - expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores" + vaultKeyPath: transit/keys/my-key + expectedError: "vaultAuthNamespace cannot end with a forward slash" - - name: Should reject transitKey containing forward slashes + - name: Should reject vaultAuthNamespace containing spaces initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -877,16 +1020,16 @@ tests: vault: kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef vaultAddress: https://vault.example.com:8200 + vaultAuthNamespace: my auth ns authentication: type: AppRole appRole: secret: name: vault-approle - transitMount: transit - transitKey: my/key - expectedError: "transitKey cannot contain forward slashes" + vaultKeyPath: transit/keys/my-key + expectedError: "vaultAuthNamespace cannot contain spaces" - - name: Should reject transitMount with special characters + - name: Should reject vaultAuthNamespace with reserved name root initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -898,16 +1041,16 @@ tests: vault: kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef vaultAddress: https://vault.example.com:8200 + vaultAuthNamespace: root authentication: type: AppRole appRole: secret: name: vault-approle - transitMount: transit@test - transitKey: my-key - expectedError: "transitMount must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes" + vaultKeyPath: transit/keys/my-key + expectedError: "vaultAuthNamespace cannot be a reserved string" - - name: Should reject transitKey with special characters + - name: Should reject vaultAuthNamespace with reserved name identity initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -919,14 +1062,14 @@ tests: vault: kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef vaultAddress: https://vault.example.com:8200 + vaultAuthNamespace: identity authentication: type: AppRole appRole: secret: name: vault-approle - transitMount: transit - transitKey: my@key - expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores" + vaultKeyPath: transit/keys/my-key + expectedError: "vaultAuthNamespace cannot be a reserved string" # serverName validation tests - name: Should reject invalid serverName @@ -948,8 +1091,7 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "serverName must be a valid DNS hostname" # authentication secret and caBundle name validation tests @@ -970,8 +1112,7 @@ tests: appRole: secret: name: invalid_secret_name! - transitMount: transit - transitKey: my-key + vaultKeyPath: transit/keys/my-key expectedError: "name must be a valid DNS subdomain name" - name: Should reject invalid caBundle name @@ -994,6 +1135,5 @@ tests: appRole: secret: name: vault-approle - transitMount: transit - transitKey: my-key - expectedError: "name must be a valid DNS subdomain name" + vaultKeyPath: transit/keys/my-key + expectedError: "name must be a valid DNS subdomain name" \ No newline at end of file diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index 6b58d9da49b..0a48128e79e 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -181,6 +181,20 @@ type VaultKMSPluginConfig struct { // +optional VaultNamespace string `json:"vaultNamespace,omitempty"` + // vaultAuthNamespace specifies the Vault namespace to use for authentication. + // This is only applicable for Vault Enterprise installations where authentication + // and Transit operations may be in different namespaces. + // When this field is not set, the value of vaultNamespace is used for both + // authentication and Transit key operations. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=4096 + // +kubebuilder:validation:XValidation:rule="!self.endsWith('/')",message="vaultAuthNamespace cannot end with a forward slash" + // +kubebuilder:validation:XValidation:rule="!self.contains(' ')",message="vaultAuthNamespace cannot contain spaces" + // +kubebuilder:validation:XValidation:rule="!(self in ['root', 'sys', 'audit', 'auth', 'cubbyhole', 'identity'])",message="vaultAuthNamespace cannot be a reserved string (root, sys, audit, auth, cubbyhole, identity)" + // +optional + VaultAuthNamespace string `json:"vaultAuthNamespace,omitempty"` + // tls contains the TLS configuration for connecting to the Vault server. // When this field is not set, system default TLS settings are used. // +optional @@ -191,7 +205,25 @@ type VaultKMSPluginConfig struct { // +required Authentication VaultAuthentication `json:"authentication,omitzero"` + // vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, + // combining the Transit engine mount path and the key name separated by "/keys/". + // Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key). + // + // +kubebuilder:validation:MinLength=8 + // +kubebuilder:validation:MaxLength=1542 + // +kubebuilder:validation:XValidation:rule="!self.startsWith('/')",message="vaultKeyPath cannot start with a forward slash" + // +kubebuilder:validation:XValidation:rule="!self.endsWith('/')",message="vaultKeyPath cannot end with a forward slash" + // +kubebuilder:validation:XValidation:rule="!self.contains('//')",message="vaultKeyPath cannot contain consecutive forward slashes" + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._~/-]+$')",message="vaultKeyPath must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes" + // +kubebuilder:validation:XValidation:rule="self.split('/').filter(s, s == '.' || s == '..').size() == 0",message="vaultKeyPath must not contain '.' or '..' path segments" + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-zA-Z0-9._~-]+(/[a-zA-Z0-9._~-]+)*/keys/[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$')`,message="vaultKeyPath must follow the format /keys/ where the key name starts and ends with an alphanumeric character or underscore and may contain alphanumeric characters, underscores, hyphens, and periods" + // +required + VaultKeyPath string `json:"vaultKeyPath,omitempty"` + + // --- TOMBSTONE --- // transitMount specifies the mount path of the Vault Transit engine. + // It has been replaced by vaultKeyPath which combines the mount and key into a single path. + // The field name is reserved to prevent reuse. // // The transit mount must be between 1 and 1024 characters, cannot start or // end with a forward slash, cannot contain consecutive forward slashes, and @@ -205,10 +237,13 @@ type VaultKMSPluginConfig struct { // +kubebuilder:validation:XValidation:rule="!self.contains('//')",message="transitMount cannot contain consecutive forward slashes" // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._~/-]+$')",message="transitMount must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes" // +required - TransitMount string `json:"transitMount,omitempty"` + // TransitMount string `json:"transitMount,omitempty"` + // --- TOMBSTONE --- // transitKey specifies the name of the encryption key in Vault's Transit engine. // This key is used to encrypt and decrypt data. + // It has been replaced by vaultKeyPath which combines the mount and key into a single path. + // The field name is reserved to prevent reuse. // // The transit key must be between 1 and 512 characters, cannot contain forward slashes, // and must only contain alphanumeric characters, hyphens, periods, and underscores. @@ -218,7 +253,7 @@ type VaultKMSPluginConfig struct { // +kubebuilder:validation:XValidation:rule="!self.contains('/')",message="transitKey cannot contain forward slashes" // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._-]+$')",message="transitKey must only contain alphanumeric characters, hyphens, periods, and underscores" // +required - TransitKey string `json:"transitKey,omitempty"` + // TransitKey string `json:"transitKey,omitempty"` } // VaultTLSConfig contains TLS configuration for connecting to Vault. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index b18ea746404..20715336e38 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -329,45 +329,6 @@ spec: and start and end with an alphanumeric character' rule: '!format.dns1123Subdomain().validate(self).hasValue()' type: object - transitKey: - description: |- - transitKey specifies the name of the encryption key in Vault's Transit engine. - This key is used to encrypt and decrypt data. - - The transit key must be between 1 and 512 characters, cannot contain forward slashes, - and must only contain alphanumeric characters, hyphens, periods, and underscores. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitKey cannot contain forward slashes - rule: '!self.contains(''/'')' - - message: transitKey must only contain alphanumeric characters, - hyphens, periods, and underscores - rule: self.matches('^[a-zA-Z0-9._-]+$') - transitMount: - description: |- - transitMount specifies the mount path of the Vault Transit engine. - - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitMount cannot start with a forward slash - rule: '!self.startsWith(''/'')' - - message: transitMount cannot end with a forward slash - rule: '!self.endsWith(''/'')' - - message: transitMount cannot contain consecutive forward - slashes - rule: '!self.contains(''//'')' - - message: transitMount must only contain RFC 3986 unreserved - characters (alphanumeric, hyphen, period, underscore, - tilde) and forward slashes - rule: self.matches('^[a-zA-Z0-9._~/-]+$') vaultAddress: description: |- vaultAddress specifies the address of the HashiCorp Vault instance. @@ -395,6 +356,55 @@ spec: rule: self.find('#(.+)$') == '' - message: must not have user info rule: self.find('@') == '' + vaultAuthNamespace: + description: |- + vaultAuthNamespace specifies the Vault namespace to use for authentication. + This is only applicable for Vault Enterprise installations where authentication + and Transit operations may be in different namespaces. + When this field is not set, the value of vaultNamespace is used for both + authentication and Transit key operations. + maxLength: 4096 + minLength: 1 + type: string + x-kubernetes-validations: + - message: vaultAuthNamespace cannot end with a forward + slash + rule: '!self.endsWith(''/'')' + - message: vaultAuthNamespace cannot contain spaces + rule: '!self.contains('' '')' + - message: vaultAuthNamespace cannot be a reserved string + (root, sys, audit, auth, cubbyhole, identity) + rule: '!(self in [''root'', ''sys'', ''audit'', ''auth'', + ''cubbyhole'', ''identity''])' + vaultKeyPath: + description: |- + vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, + combining the Transit engine mount path and the key name separated by "/keys/". + Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key). + maxLength: 1542 + minLength: 8 + type: string + x-kubernetes-validations: + - message: vaultKeyPath cannot start with a forward slash + rule: '!self.startsWith(''/'')' + - message: vaultKeyPath cannot end with a forward slash + rule: '!self.endsWith(''/'')' + - message: vaultKeyPath cannot contain consecutive forward + slashes + rule: '!self.contains(''//'')' + - message: vaultKeyPath must only contain RFC 3986 unreserved + characters (alphanumeric, hyphen, period, underscore, + tilde) and forward slashes + rule: self.matches('^[a-zA-Z0-9._~/-]+$') + - message: vaultKeyPath must not contain '.' or '..' path + segments + rule: self.split('/').filter(s, s == '.' || s == '..').size() + == 0 + - message: vaultKeyPath must follow the format /keys/ + where the key name starts and ends with an alphanumeric + character or underscore and may contain alphanumeric + characters, underscores, hyphens, and periods + rule: self.matches('^[a-zA-Z0-9._~-]+(/[a-zA-Z0-9._~-]+)*/keys/[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$') vaultNamespace: description: |- vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. @@ -418,9 +428,8 @@ spec: required: - authentication - kmsPluginImage - - transitKey - - transitMount - vaultAddress + - vaultKeyPath type: object required: - type diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index b8700ff3f16..9134d2fe057 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -329,45 +329,6 @@ spec: and start and end with an alphanumeric character' rule: '!format.dns1123Subdomain().validate(self).hasValue()' type: object - transitKey: - description: |- - transitKey specifies the name of the encryption key in Vault's Transit engine. - This key is used to encrypt and decrypt data. - - The transit key must be between 1 and 512 characters, cannot contain forward slashes, - and must only contain alphanumeric characters, hyphens, periods, and underscores. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitKey cannot contain forward slashes - rule: '!self.contains(''/'')' - - message: transitKey must only contain alphanumeric characters, - hyphens, periods, and underscores - rule: self.matches('^[a-zA-Z0-9._-]+$') - transitMount: - description: |- - transitMount specifies the mount path of the Vault Transit engine. - - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitMount cannot start with a forward slash - rule: '!self.startsWith(''/'')' - - message: transitMount cannot end with a forward slash - rule: '!self.endsWith(''/'')' - - message: transitMount cannot contain consecutive forward - slashes - rule: '!self.contains(''//'')' - - message: transitMount must only contain RFC 3986 unreserved - characters (alphanumeric, hyphen, period, underscore, - tilde) and forward slashes - rule: self.matches('^[a-zA-Z0-9._~/-]+$') vaultAddress: description: |- vaultAddress specifies the address of the HashiCorp Vault instance. @@ -395,6 +356,55 @@ spec: rule: self.find('#(.+)$') == '' - message: must not have user info rule: self.find('@') == '' + vaultAuthNamespace: + description: |- + vaultAuthNamespace specifies the Vault namespace to use for authentication. + This is only applicable for Vault Enterprise installations where authentication + and Transit operations may be in different namespaces. + When this field is not set, the value of vaultNamespace is used for both + authentication and Transit key operations. + maxLength: 4096 + minLength: 1 + type: string + x-kubernetes-validations: + - message: vaultAuthNamespace cannot end with a forward + slash + rule: '!self.endsWith(''/'')' + - message: vaultAuthNamespace cannot contain spaces + rule: '!self.contains('' '')' + - message: vaultAuthNamespace cannot be a reserved string + (root, sys, audit, auth, cubbyhole, identity) + rule: '!(self in [''root'', ''sys'', ''audit'', ''auth'', + ''cubbyhole'', ''identity''])' + vaultKeyPath: + description: |- + vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, + combining the Transit engine mount path and the key name separated by "/keys/". + Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key). + maxLength: 1542 + minLength: 8 + type: string + x-kubernetes-validations: + - message: vaultKeyPath cannot start with a forward slash + rule: '!self.startsWith(''/'')' + - message: vaultKeyPath cannot end with a forward slash + rule: '!self.endsWith(''/'')' + - message: vaultKeyPath cannot contain consecutive forward + slashes + rule: '!self.contains(''//'')' + - message: vaultKeyPath must only contain RFC 3986 unreserved + characters (alphanumeric, hyphen, period, underscore, + tilde) and forward slashes + rule: self.matches('^[a-zA-Z0-9._~/-]+$') + - message: vaultKeyPath must not contain '.' or '..' path + segments + rule: self.split('/').filter(s, s == '.' || s == '..').size() + == 0 + - message: vaultKeyPath must follow the format /keys/ + where the key name starts and ends with an alphanumeric + character or underscore and may contain alphanumeric + characters, underscores, hyphens, and periods + rule: self.matches('^[a-zA-Z0-9._~-]+(/[a-zA-Z0-9._~-]+)*/keys/[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$') vaultNamespace: description: |- vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. @@ -418,9 +428,8 @@ spec: required: - authentication - kmsPluginImage - - transitKey - - transitMount - vaultAddress + - vaultKeyPath type: object required: - type diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 6728a62ef56..f2dd5f44ae4 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -329,45 +329,6 @@ spec: and start and end with an alphanumeric character' rule: '!format.dns1123Subdomain().validate(self).hasValue()' type: object - transitKey: - description: |- - transitKey specifies the name of the encryption key in Vault's Transit engine. - This key is used to encrypt and decrypt data. - - The transit key must be between 1 and 512 characters, cannot contain forward slashes, - and must only contain alphanumeric characters, hyphens, periods, and underscores. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitKey cannot contain forward slashes - rule: '!self.contains(''/'')' - - message: transitKey must only contain alphanumeric characters, - hyphens, periods, and underscores - rule: self.matches('^[a-zA-Z0-9._-]+$') - transitMount: - description: |- - transitMount specifies the mount path of the Vault Transit engine. - - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitMount cannot start with a forward slash - rule: '!self.startsWith(''/'')' - - message: transitMount cannot end with a forward slash - rule: '!self.endsWith(''/'')' - - message: transitMount cannot contain consecutive forward - slashes - rule: '!self.contains(''//'')' - - message: transitMount must only contain RFC 3986 unreserved - characters (alphanumeric, hyphen, period, underscore, - tilde) and forward slashes - rule: self.matches('^[a-zA-Z0-9._~/-]+$') vaultAddress: description: |- vaultAddress specifies the address of the HashiCorp Vault instance. @@ -395,6 +356,55 @@ spec: rule: self.find('#(.+)$') == '' - message: must not have user info rule: self.find('@') == '' + vaultAuthNamespace: + description: |- + vaultAuthNamespace specifies the Vault namespace to use for authentication. + This is only applicable for Vault Enterprise installations where authentication + and Transit operations may be in different namespaces. + When this field is not set, the value of vaultNamespace is used for both + authentication and Transit key operations. + maxLength: 4096 + minLength: 1 + type: string + x-kubernetes-validations: + - message: vaultAuthNamespace cannot end with a forward + slash + rule: '!self.endsWith(''/'')' + - message: vaultAuthNamespace cannot contain spaces + rule: '!self.contains('' '')' + - message: vaultAuthNamespace cannot be a reserved string + (root, sys, audit, auth, cubbyhole, identity) + rule: '!(self in [''root'', ''sys'', ''audit'', ''auth'', + ''cubbyhole'', ''identity''])' + vaultKeyPath: + description: |- + vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, + combining the Transit engine mount path and the key name separated by "/keys/". + Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key). + maxLength: 1542 + minLength: 8 + type: string + x-kubernetes-validations: + - message: vaultKeyPath cannot start with a forward slash + rule: '!self.startsWith(''/'')' + - message: vaultKeyPath cannot end with a forward slash + rule: '!self.endsWith(''/'')' + - message: vaultKeyPath cannot contain consecutive forward + slashes + rule: '!self.contains(''//'')' + - message: vaultKeyPath must only contain RFC 3986 unreserved + characters (alphanumeric, hyphen, period, underscore, + tilde) and forward slashes + rule: self.matches('^[a-zA-Z0-9._~/-]+$') + - message: vaultKeyPath must not contain '.' or '..' path + segments + rule: self.split('/').filter(s, s == '.' || s == '..').size() + == 0 + - message: vaultKeyPath must follow the format /keys/ + where the key name starts and ends with an alphanumeric + character or underscore and may contain alphanumeric + characters, underscores, hyphens, and periods + rule: self.matches('^[a-zA-Z0-9._~-]+(/[a-zA-Z0-9._~-]+)*/keys/[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$') vaultNamespace: description: |- vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. @@ -418,9 +428,8 @@ spec: required: - authentication - kmsPluginImage - - transitKey - - transitMount - vaultAddress + - vaultKeyPath type: object required: - type diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index 4bbdc315e3e..502b24faa15 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -329,45 +329,6 @@ spec: and start and end with an alphanumeric character' rule: '!format.dns1123Subdomain().validate(self).hasValue()' type: object - transitKey: - description: |- - transitKey specifies the name of the encryption key in Vault's Transit engine. - This key is used to encrypt and decrypt data. - - The transit key must be between 1 and 512 characters, cannot contain forward slashes, - and must only contain alphanumeric characters, hyphens, periods, and underscores. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitKey cannot contain forward slashes - rule: '!self.contains(''/'')' - - message: transitKey must only contain alphanumeric characters, - hyphens, periods, and underscores - rule: self.matches('^[a-zA-Z0-9._-]+$') - transitMount: - description: |- - transitMount specifies the mount path of the Vault Transit engine. - - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitMount cannot start with a forward slash - rule: '!self.startsWith(''/'')' - - message: transitMount cannot end with a forward slash - rule: '!self.endsWith(''/'')' - - message: transitMount cannot contain consecutive forward - slashes - rule: '!self.contains(''//'')' - - message: transitMount must only contain RFC 3986 unreserved - characters (alphanumeric, hyphen, period, underscore, - tilde) and forward slashes - rule: self.matches('^[a-zA-Z0-9._~/-]+$') vaultAddress: description: |- vaultAddress specifies the address of the HashiCorp Vault instance. @@ -395,6 +356,55 @@ spec: rule: self.find('#(.+)$') == '' - message: must not have user info rule: self.find('@') == '' + vaultAuthNamespace: + description: |- + vaultAuthNamespace specifies the Vault namespace to use for authentication. + This is only applicable for Vault Enterprise installations where authentication + and Transit operations may be in different namespaces. + When this field is not set, the value of vaultNamespace is used for both + authentication and Transit key operations. + maxLength: 4096 + minLength: 1 + type: string + x-kubernetes-validations: + - message: vaultAuthNamespace cannot end with a forward + slash + rule: '!self.endsWith(''/'')' + - message: vaultAuthNamespace cannot contain spaces + rule: '!self.contains('' '')' + - message: vaultAuthNamespace cannot be a reserved string + (root, sys, audit, auth, cubbyhole, identity) + rule: '!(self in [''root'', ''sys'', ''audit'', ''auth'', + ''cubbyhole'', ''identity''])' + vaultKeyPath: + description: |- + vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, + combining the Transit engine mount path and the key name separated by "/keys/". + Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key). + maxLength: 1542 + minLength: 8 + type: string + x-kubernetes-validations: + - message: vaultKeyPath cannot start with a forward slash + rule: '!self.startsWith(''/'')' + - message: vaultKeyPath cannot end with a forward slash + rule: '!self.endsWith(''/'')' + - message: vaultKeyPath cannot contain consecutive forward + slashes + rule: '!self.contains(''//'')' + - message: vaultKeyPath must only contain RFC 3986 unreserved + characters (alphanumeric, hyphen, period, underscore, + tilde) and forward slashes + rule: self.matches('^[a-zA-Z0-9._~/-]+$') + - message: vaultKeyPath must not contain '.' or '..' path + segments + rule: self.split('/').filter(s, s == '.' || s == '..').size() + == 0 + - message: vaultKeyPath must follow the format /keys/ + where the key name starts and ends with an alphanumeric + character or underscore and may contain alphanumeric + characters, underscores, hyphens, and periods + rule: self.matches('^[a-zA-Z0-9._~-]+(/[a-zA-Z0-9._~-]+)*/keys/[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$') vaultNamespace: description: |- vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. @@ -418,9 +428,8 @@ spec: required: - authentication - kmsPluginImage - - transitKey - - transitMount - vaultAddress + - vaultKeyPath type: object required: - type diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 631f11a1b29..699a0c6e58a 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2501,14 +2501,14 @@ func (VaultConfigMapReference) SwaggerDoc() map[string]string { } var map_VaultKMSPluginConfig = map[string]string{ - "": "VaultKMSPluginConfig defines the KMS plugin configuration specific to Vault KMS", - "kmsPluginImage": "kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin.\n\nThe image must be a fully qualified OCI image pull spec with a SHA256 digest. The format is: host[:port][/namespace]/name@sha256: where the digest must be 64 characters long and consist only of lowercase hexadecimal characters, a-f and 0-9. The total length must be between 75 and 447 characters.\n\nShort names (e.g., \"vault-plugin\" or \"hashicorp/vault-plugin\") are not allowed. The registry hostname must be included and must contain at least one dot. Image tags (e.g., \":latest\", \":v1.0.0\") are not allowed.\n\nConsult the OpenShift documentation for compatible plugin versions with your cluster version, then obtain the image digest for that version from HashiCorp's container registry.\n\nFor disconnected environments, mirror the plugin image to an accessible registry and reference the mirrored location with its digest.", - "vaultAddress": "vaultAddress specifies the address of the HashiCorp Vault instance. The value must be a valid HTTPS URL containing only scheme, host, and optional port. Paths, user info, query parameters, and fragments are not allowed.\n\nFormat: https://hostname[:port] Example: https://vault.example.com:8200\n\nThe value must be between 1 and 512 characters.", - "vaultNamespace": "vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. This is only applicable for Vault Enterprise installations. When this field is not set, no namespace is used.\n\nThe value must be between 1 and 4096 characters. The namespace cannot end with a forward slash, cannot contain spaces, and cannot be one of the reserved strings: root, sys, audit, auth, cubbyhole, or identity.", - "tls": "tls contains the TLS configuration for connecting to the Vault server. When this field is not set, system default TLS settings are used.", - "authentication": "authentication defines the authentication method used to authenticate with Vault.", - "transitMount": "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", - "transitKey": "transitKey specifies the name of the encryption key in Vault's Transit engine. This key is used to encrypt and decrypt data.\n\nThe transit key must be between 1 and 512 characters, cannot contain forward slashes, and must only contain alphanumeric characters, hyphens, periods, and underscores.", + "": "VaultKMSPluginConfig defines the KMS plugin configuration specific to Vault KMS", + "kmsPluginImage": "kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin.\n\nThe image must be a fully qualified OCI image pull spec with a SHA256 digest. The format is: host[:port][/namespace]/name@sha256: where the digest must be 64 characters long and consist only of lowercase hexadecimal characters, a-f and 0-9. The total length must be between 75 and 447 characters.\n\nShort names (e.g., \"vault-plugin\" or \"hashicorp/vault-plugin\") are not allowed. The registry hostname must be included and must contain at least one dot. Image tags (e.g., \":latest\", \":v1.0.0\") are not allowed.\n\nConsult the OpenShift documentation for compatible plugin versions with your cluster version, then obtain the image digest for that version from HashiCorp's container registry.\n\nFor disconnected environments, mirror the plugin image to an accessible registry and reference the mirrored location with its digest.", + "vaultAddress": "vaultAddress specifies the address of the HashiCorp Vault instance. The value must be a valid HTTPS URL containing only scheme, host, and optional port. Paths, user info, query parameters, and fragments are not allowed.\n\nFormat: https://hostname[:port] Example: https://vault.example.com:8200\n\nThe value must be between 1 and 512 characters.", + "vaultNamespace": "vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. This is only applicable for Vault Enterprise installations. When this field is not set, no namespace is used.\n\nThe value must be between 1 and 4096 characters. The namespace cannot end with a forward slash, cannot contain spaces, and cannot be one of the reserved strings: root, sys, audit, auth, cubbyhole, or identity.", + "vaultAuthNamespace": "vaultAuthNamespace specifies the Vault namespace to use for authentication. This is only applicable for Vault Enterprise installations where authentication and Transit operations may be in different namespaces. When this field is not set, the value of vaultNamespace is used for both authentication and Transit key operations.", + "tls": "tls contains the TLS configuration for connecting to the Vault server. When this field is not set, system default TLS settings are used.", + "authentication": "authentication defines the authentication method used to authenticate with Vault.", + "vaultKeyPath": "vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, combining the Transit engine mount path and the key name separated by \"/keys/\". Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key).", } func (VaultKMSPluginConfig) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 9f78f6c321f..7916d0ef3ac 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -23192,6 +23192,13 @@ func schema_openshift_api_config_v1_VaultKMSPluginConfig(ref common.ReferenceCal Format: "", }, }, + "vaultAuthNamespace": { + SchemaProps: spec.SchemaProps{ + Description: "vaultAuthNamespace specifies the Vault namespace to use for authentication. This is only applicable for Vault Enterprise installations where authentication and Transit operations may be in different namespaces. When this field is not set, the value of vaultNamespace is used for both authentication and Transit key operations.", + Type: []string{"string"}, + Format: "", + }, + }, "tls": { SchemaProps: spec.SchemaProps{ Description: "tls contains the TLS configuration for connecting to the Vault server. When this field is not set, system default TLS settings are used.", @@ -23206,22 +23213,15 @@ func schema_openshift_api_config_v1_VaultKMSPluginConfig(ref common.ReferenceCal Ref: ref(configv1.VaultAuthentication{}.OpenAPIModelName()), }, }, - "transitMount": { - SchemaProps: spec.SchemaProps{ - Description: "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", - Type: []string{"string"}, - Format: "", - }, - }, - "transitKey": { + "vaultKeyPath": { SchemaProps: spec.SchemaProps{ - Description: "transitKey specifies the name of the encryption key in Vault's Transit engine. This key is used to encrypt and decrypt data.\n\nThe transit key must be between 1 and 512 characters, cannot contain forward slashes, and must only contain alphanumeric characters, hyphens, periods, and underscores.", + Description: "vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, combining the Transit engine mount path and the key name separated by \"/keys/\". Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key).", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"kmsPluginImage", "vaultAddress", "authentication", "transitMount", "transitKey"}, + Required: []string{"kmsPluginImage", "vaultAddress", "authentication", "vaultKeyPath"}, }, }, Dependencies: []string{ diff --git a/openapi/openapi.json b/openapi/openapi.json index d94f372b2ee..f1d1864bb71 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -12585,8 +12585,7 @@ "kmsPluginImage", "vaultAddress", "authentication", - "transitMount", - "transitKey" + "vaultKeyPath" ], "properties": { "authentication": { @@ -12603,16 +12602,16 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.VaultTLSConfig" }, - "transitKey": { - "description": "transitKey specifies the name of the encryption key in Vault's Transit engine. This key is used to encrypt and decrypt data.\n\nThe transit key must be between 1 and 512 characters, cannot contain forward slashes, and must only contain alphanumeric characters, hyphens, periods, and underscores.", + "vaultAddress": { + "description": "vaultAddress specifies the address of the HashiCorp Vault instance. The value must be a valid HTTPS URL containing only scheme, host, and optional port. Paths, user info, query parameters, and fragments are not allowed.\n\nFormat: https://hostname[:port] Example: https://vault.example.com:8200\n\nThe value must be between 1 and 512 characters.", "type": "string" }, - "transitMount": { - "description": "transitMount specifies the mount path of the Vault Transit engine.\n\nThe transit mount must be between 1 and 1024 characters, cannot start or end with a forward slash, cannot contain consecutive forward slashes, and must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes as path separators.", + "vaultAuthNamespace": { + "description": "vaultAuthNamespace specifies the Vault namespace to use for authentication. This is only applicable for Vault Enterprise installations where authentication and Transit operations may be in different namespaces. When this field is not set, the value of vaultNamespace is used for both authentication and Transit key operations.", "type": "string" }, - "vaultAddress": { - "description": "vaultAddress specifies the address of the HashiCorp Vault instance. The value must be a valid HTTPS URL containing only scheme, host, and optional port. Paths, user info, query parameters, and fragments are not allowed.\n\nFormat: https://hostname[:port] Example: https://vault.example.com:8200\n\nThe value must be between 1 and 512 characters.", + "vaultKeyPath": { + "description": "vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, combining the Transit engine mount path and the key name separated by \"/keys/\". Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key).", "type": "string" }, "vaultNamespace": { diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index b18ea746404..20715336e38 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -329,45 +329,6 @@ spec: and start and end with an alphanumeric character' rule: '!format.dns1123Subdomain().validate(self).hasValue()' type: object - transitKey: - description: |- - transitKey specifies the name of the encryption key in Vault's Transit engine. - This key is used to encrypt and decrypt data. - - The transit key must be between 1 and 512 characters, cannot contain forward slashes, - and must only contain alphanumeric characters, hyphens, periods, and underscores. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitKey cannot contain forward slashes - rule: '!self.contains(''/'')' - - message: transitKey must only contain alphanumeric characters, - hyphens, periods, and underscores - rule: self.matches('^[a-zA-Z0-9._-]+$') - transitMount: - description: |- - transitMount specifies the mount path of the Vault Transit engine. - - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitMount cannot start with a forward slash - rule: '!self.startsWith(''/'')' - - message: transitMount cannot end with a forward slash - rule: '!self.endsWith(''/'')' - - message: transitMount cannot contain consecutive forward - slashes - rule: '!self.contains(''//'')' - - message: transitMount must only contain RFC 3986 unreserved - characters (alphanumeric, hyphen, period, underscore, - tilde) and forward slashes - rule: self.matches('^[a-zA-Z0-9._~/-]+$') vaultAddress: description: |- vaultAddress specifies the address of the HashiCorp Vault instance. @@ -395,6 +356,55 @@ spec: rule: self.find('#(.+)$') == '' - message: must not have user info rule: self.find('@') == '' + vaultAuthNamespace: + description: |- + vaultAuthNamespace specifies the Vault namespace to use for authentication. + This is only applicable for Vault Enterprise installations where authentication + and Transit operations may be in different namespaces. + When this field is not set, the value of vaultNamespace is used for both + authentication and Transit key operations. + maxLength: 4096 + minLength: 1 + type: string + x-kubernetes-validations: + - message: vaultAuthNamespace cannot end with a forward + slash + rule: '!self.endsWith(''/'')' + - message: vaultAuthNamespace cannot contain spaces + rule: '!self.contains('' '')' + - message: vaultAuthNamespace cannot be a reserved string + (root, sys, audit, auth, cubbyhole, identity) + rule: '!(self in [''root'', ''sys'', ''audit'', ''auth'', + ''cubbyhole'', ''identity''])' + vaultKeyPath: + description: |- + vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, + combining the Transit engine mount path and the key name separated by "/keys/". + Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key). + maxLength: 1542 + minLength: 8 + type: string + x-kubernetes-validations: + - message: vaultKeyPath cannot start with a forward slash + rule: '!self.startsWith(''/'')' + - message: vaultKeyPath cannot end with a forward slash + rule: '!self.endsWith(''/'')' + - message: vaultKeyPath cannot contain consecutive forward + slashes + rule: '!self.contains(''//'')' + - message: vaultKeyPath must only contain RFC 3986 unreserved + characters (alphanumeric, hyphen, period, underscore, + tilde) and forward slashes + rule: self.matches('^[a-zA-Z0-9._~/-]+$') + - message: vaultKeyPath must not contain '.' or '..' path + segments + rule: self.split('/').filter(s, s == '.' || s == '..').size() + == 0 + - message: vaultKeyPath must follow the format /keys/ + where the key name starts and ends with an alphanumeric + character or underscore and may contain alphanumeric + characters, underscores, hyphens, and periods + rule: self.matches('^[a-zA-Z0-9._~-]+(/[a-zA-Z0-9._~-]+)*/keys/[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$') vaultNamespace: description: |- vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. @@ -418,9 +428,8 @@ spec: required: - authentication - kmsPluginImage - - transitKey - - transitMount - vaultAddress + - vaultKeyPath type: object required: - type diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index b8700ff3f16..9134d2fe057 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -329,45 +329,6 @@ spec: and start and end with an alphanumeric character' rule: '!format.dns1123Subdomain().validate(self).hasValue()' type: object - transitKey: - description: |- - transitKey specifies the name of the encryption key in Vault's Transit engine. - This key is used to encrypt and decrypt data. - - The transit key must be between 1 and 512 characters, cannot contain forward slashes, - and must only contain alphanumeric characters, hyphens, periods, and underscores. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitKey cannot contain forward slashes - rule: '!self.contains(''/'')' - - message: transitKey must only contain alphanumeric characters, - hyphens, periods, and underscores - rule: self.matches('^[a-zA-Z0-9._-]+$') - transitMount: - description: |- - transitMount specifies the mount path of the Vault Transit engine. - - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitMount cannot start with a forward slash - rule: '!self.startsWith(''/'')' - - message: transitMount cannot end with a forward slash - rule: '!self.endsWith(''/'')' - - message: transitMount cannot contain consecutive forward - slashes - rule: '!self.contains(''//'')' - - message: transitMount must only contain RFC 3986 unreserved - characters (alphanumeric, hyphen, period, underscore, - tilde) and forward slashes - rule: self.matches('^[a-zA-Z0-9._~/-]+$') vaultAddress: description: |- vaultAddress specifies the address of the HashiCorp Vault instance. @@ -395,6 +356,55 @@ spec: rule: self.find('#(.+)$') == '' - message: must not have user info rule: self.find('@') == '' + vaultAuthNamespace: + description: |- + vaultAuthNamespace specifies the Vault namespace to use for authentication. + This is only applicable for Vault Enterprise installations where authentication + and Transit operations may be in different namespaces. + When this field is not set, the value of vaultNamespace is used for both + authentication and Transit key operations. + maxLength: 4096 + minLength: 1 + type: string + x-kubernetes-validations: + - message: vaultAuthNamespace cannot end with a forward + slash + rule: '!self.endsWith(''/'')' + - message: vaultAuthNamespace cannot contain spaces + rule: '!self.contains('' '')' + - message: vaultAuthNamespace cannot be a reserved string + (root, sys, audit, auth, cubbyhole, identity) + rule: '!(self in [''root'', ''sys'', ''audit'', ''auth'', + ''cubbyhole'', ''identity''])' + vaultKeyPath: + description: |- + vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, + combining the Transit engine mount path and the key name separated by "/keys/". + Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key). + maxLength: 1542 + minLength: 8 + type: string + x-kubernetes-validations: + - message: vaultKeyPath cannot start with a forward slash + rule: '!self.startsWith(''/'')' + - message: vaultKeyPath cannot end with a forward slash + rule: '!self.endsWith(''/'')' + - message: vaultKeyPath cannot contain consecutive forward + slashes + rule: '!self.contains(''//'')' + - message: vaultKeyPath must only contain RFC 3986 unreserved + characters (alphanumeric, hyphen, period, underscore, + tilde) and forward slashes + rule: self.matches('^[a-zA-Z0-9._~/-]+$') + - message: vaultKeyPath must not contain '.' or '..' path + segments + rule: self.split('/').filter(s, s == '.' || s == '..').size() + == 0 + - message: vaultKeyPath must follow the format /keys/ + where the key name starts and ends with an alphanumeric + character or underscore and may contain alphanumeric + characters, underscores, hyphens, and periods + rule: self.matches('^[a-zA-Z0-9._~-]+(/[a-zA-Z0-9._~-]+)*/keys/[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$') vaultNamespace: description: |- vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. @@ -418,9 +428,8 @@ spec: required: - authentication - kmsPluginImage - - transitKey - - transitMount - vaultAddress + - vaultKeyPath type: object required: - type diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 6728a62ef56..f2dd5f44ae4 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -329,45 +329,6 @@ spec: and start and end with an alphanumeric character' rule: '!format.dns1123Subdomain().validate(self).hasValue()' type: object - transitKey: - description: |- - transitKey specifies the name of the encryption key in Vault's Transit engine. - This key is used to encrypt and decrypt data. - - The transit key must be between 1 and 512 characters, cannot contain forward slashes, - and must only contain alphanumeric characters, hyphens, periods, and underscores. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitKey cannot contain forward slashes - rule: '!self.contains(''/'')' - - message: transitKey must only contain alphanumeric characters, - hyphens, periods, and underscores - rule: self.matches('^[a-zA-Z0-9._-]+$') - transitMount: - description: |- - transitMount specifies the mount path of the Vault Transit engine. - - The transit mount must be between 1 and 1024 characters, cannot start or - end with a forward slash, cannot contain consecutive forward slashes, and - must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, - period, underscore, tilde) and forward slashes as path separators. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: transitMount cannot start with a forward slash - rule: '!self.startsWith(''/'')' - - message: transitMount cannot end with a forward slash - rule: '!self.endsWith(''/'')' - - message: transitMount cannot contain consecutive forward - slashes - rule: '!self.contains(''//'')' - - message: transitMount must only contain RFC 3986 unreserved - characters (alphanumeric, hyphen, period, underscore, - tilde) and forward slashes - rule: self.matches('^[a-zA-Z0-9._~/-]+$') vaultAddress: description: |- vaultAddress specifies the address of the HashiCorp Vault instance. @@ -395,6 +356,55 @@ spec: rule: self.find('#(.+)$') == '' - message: must not have user info rule: self.find('@') == '' + vaultAuthNamespace: + description: |- + vaultAuthNamespace specifies the Vault namespace to use for authentication. + This is only applicable for Vault Enterprise installations where authentication + and Transit operations may be in different namespaces. + When this field is not set, the value of vaultNamespace is used for both + authentication and Transit key operations. + maxLength: 4096 + minLength: 1 + type: string + x-kubernetes-validations: + - message: vaultAuthNamespace cannot end with a forward + slash + rule: '!self.endsWith(''/'')' + - message: vaultAuthNamespace cannot contain spaces + rule: '!self.contains('' '')' + - message: vaultAuthNamespace cannot be a reserved string + (root, sys, audit, auth, cubbyhole, identity) + rule: '!(self in [''root'', ''sys'', ''audit'', ''auth'', + ''cubbyhole'', ''identity''])' + vaultKeyPath: + description: |- + vaultKeyPath specifies the full path to the encryption key in Vault's Transit secrets engine, + combining the Transit engine mount path and the key name separated by "/keys/". + Format: /keys/ (e.g., transit/keys/my-key, myteam/transit/keys/production-key). + maxLength: 1542 + minLength: 8 + type: string + x-kubernetes-validations: + - message: vaultKeyPath cannot start with a forward slash + rule: '!self.startsWith(''/'')' + - message: vaultKeyPath cannot end with a forward slash + rule: '!self.endsWith(''/'')' + - message: vaultKeyPath cannot contain consecutive forward + slashes + rule: '!self.contains(''//'')' + - message: vaultKeyPath must only contain RFC 3986 unreserved + characters (alphanumeric, hyphen, period, underscore, + tilde) and forward slashes + rule: self.matches('^[a-zA-Z0-9._~/-]+$') + - message: vaultKeyPath must not contain '.' or '..' path + segments + rule: self.split('/').filter(s, s == '.' || s == '..').size() + == 0 + - message: vaultKeyPath must follow the format /keys/ + where the key name starts and ends with an alphanumeric + character or underscore and may contain alphanumeric + characters, underscores, hyphens, and periods + rule: self.matches('^[a-zA-Z0-9._~-]+(/[a-zA-Z0-9._~-]+)*/keys/[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$') vaultNamespace: description: |- vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. @@ -418,9 +428,8 @@ spec: required: - authentication - kmsPluginImage - - transitKey - - transitMount - vaultAddress + - vaultKeyPath type: object required: - type