vault/website/content/docs/platform/k8s/vso/api-reference.mdx

---
layout: docs
page_title: Vault Secrets Operator API Reference
description: >-
  The Vault Secrets Operator allows Pods to consume Vault secrets natively from Kubernetes Secrets.
---

<!--
  copied from docs/api/api-reference.md in the vault-secrets-operator repo.
  commit SHA=c30a82b68399a94b053f98b134f310305936dc27
-->
# API Reference

## Packages
- [secrets.hashicorp.com/v1beta1](#secretshashicorpcomv1beta1)


## secrets.hashicorp.com/v1beta1

Package v1beta1 contains API Schema definitions for the secrets v1beta1 API group

### Resource Types
- [HCPAuth](#hcpauth)
- [HCPAuthList](#hcpauthlist)
- [HCPVaultSecretsApp](#hcpvaultsecretsapp)
- [HCPVaultSecretsAppList](#hcpvaultsecretsapplist)
- [SecretTransformation](#secrettransformation)
- [SecretTransformationList](#secrettransformationlist)
- [VaultAuth](#vaultauth)
- [VaultAuthList](#vaultauthlist)
- [VaultConnection](#vaultconnection)
- [VaultConnectionList](#vaultconnectionlist)
- [VaultDynamicSecret](#vaultdynamicsecret)
- [VaultDynamicSecretList](#vaultdynamicsecretlist)
- [VaultPKISecret](#vaultpkisecret)
- [VaultPKISecretList](#vaultpkisecretlist)
- [VaultStaticSecret](#vaultstaticsecret)
- [VaultStaticSecretList](#vaultstaticsecretlist)



#### Destination



Destination provides the configuration that will be applied to the
destination Kubernetes Secret during a Vault Secret -> K8s Secret sync.



_Appears in:_
- [HCPVaultSecretsAppSpec](#hcpvaultsecretsappspec)
- [VaultDynamicSecretSpec](#vaultdynamicsecretspec)
- [VaultPKISecretSpec](#vaultpkisecretspec)
- [VaultStaticSecretSpec](#vaultstaticsecretspec)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `name` _string_ | Name of the Secret |  |  |
| `create` _boolean_ | Create the destination Secret.<br />If the Secret already exists this should be set to false. | false |  |
| `overwrite` _boolean_ | Overwrite the destination Secret if it exists and Create is true. This is<br />useful when migrating to VSO from a previous secret deployment strategy. | false |  |
| `labels` _object (keys:string, values:string)_ | Labels to apply to the Secret. Requires Create to be set to true. |  |  |
| `annotations` _object (keys:string, values:string)_ | Annotations to apply to the Secret. Requires Create to be set to true. |  |  |
| `type` _[SecretType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secrettype-v1-core)_ | Type of Kubernetes Secret. Requires Create to be set to true.<br />Defaults to Opaque. |  |  |
| `transformation` _[Transformation](#transformation)_ | Transformation provides configuration for transforming the secret data before<br />it is stored in the Destination. |  |  |


#### HCPAuth



HCPAuth is the Schema for the hcpauths API



_Appears in:_
- [HCPAuthList](#hcpauthlist)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `HCPAuth` | | |
| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `spec` _[HCPAuthSpec](#hcpauthspec)_ |  |  |  |


#### HCPAuthList



HCPAuthList contains a list of HCPAuth





| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `HCPAuthList` | | |
| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `items` _[HCPAuth](#hcpauth) array_ |  |  |  |


#### HCPAuthServicePrincipal



HCPAuthServicePrincipal provides HCPAuth configuration options needed for
authenticating to HCP using a service principal configured in SecretRef.



_Appears in:_
- [HCPAuthSpec](#hcpauthspec)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `secretRef` _string_ | SecretRef is the name of a Kubernetes secret in the consumer's<br />(VDS/VSS/PKI/HCP) namespace which provides the HCP ServicePrincipal clientID,<br />and clientSecret.<br />The secret data must have the following structure {<br />  "clientID": "clientID",<br />  "clientSecret": "clientSecret",<br />} |  |  |


#### HCPAuthSpec



HCPAuthSpec defines the desired state of HCPAuth



_Appears in:_
- [HCPAuth](#hcpauth)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `organizationID` _string_ | OrganizationID of the HCP organization. |  |  |
| `projectID` _string_ | ProjectID of the HCP project. |  |  |
| `allowedNamespaces` _string array_ | AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod.<br />This field allows administrators to customize which Kubernetes namespaces are authorized to<br />use with this AuthMethod. While Vault will still enforce its own rules, this has the added<br />configurability of restricting which HCPAuthMethods can be used by which namespaces.<br />Accepted values:<br />[]{"*"} - wildcard, all namespaces.<br />[]{"a", "b"} - list of namespaces.<br />unset - disallow all namespaces except the Operator's the HCPAuthMethod's namespace, this<br />is the default behavior. |  |  |
| `method` _string_ | Method to use when authenticating to Vault. | servicePrincipal | Enum: [servicePrincipal] <br /> |
| `servicePrincipal` _[HCPAuthServicePrincipal](#hcpauthserviceprincipal)_ | ServicePrincipal provides the necessary configuration for authenticating to<br />HCP using a service principal. For security reasons, only project-level<br />service principals should ever be used. |  |  |




#### HCPVaultSecretsApp



HCPVaultSecretsApp is the Schema for the hcpvaultsecretsapps API



_Appears in:_
- [HCPVaultSecretsAppList](#hcpvaultsecretsapplist)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `HCPVaultSecretsApp` | | |
| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `spec` _[HCPVaultSecretsAppSpec](#hcpvaultsecretsappspec)_ |  |  |  |


#### HCPVaultSecretsAppList



HCPVaultSecretsAppList contains a list of HCPVaultSecretsApp





| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `HCPVaultSecretsAppList` | | |
| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `items` _[HCPVaultSecretsApp](#hcpvaultsecretsapp) array_ |  |  |  |


#### HCPVaultSecretsAppSpec



HCPVaultSecretsAppSpec defines the desired state of HCPVaultSecretsApp



_Appears in:_
- [HCPVaultSecretsApp](#hcpvaultsecretsapp)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `appName` _string_ | AppName of the Vault Secrets Application that is to be synced. |  |  |
| `hcpAuthRef` _string_ | HCPAuthRef to the HCPAuth resource, can be prefixed with a namespace, eg:<br />`namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default<br />to the namespace of the HCPAuth CR. If no value is specified for HCPAuthRef the<br />Operator will default to the `default` HCPAuth, configured in the operator's<br />namespace. |  |  |
| `refreshAfter` _string_ | RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h | 600s | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$` <br />Type: string <br /> |
| `rolloutRestartTargets` _[RolloutRestartTarget](#rolloutrestarttarget) array_ | RolloutRestartTargets should be configured whenever the application(s)<br />consuming the HCP Vault Secrets App does not support dynamically reloading a<br />rotated secret. In that case one, or more RolloutRestartTarget(s) can be<br />configured here. The Operator will trigger a "rollout-restart" for each target<br />whenever the Vault secret changes between reconciliation events. See<br />RolloutRestartTarget for more details. |  |  |
| `destination` _[Destination](#destination)_ | Destination provides configuration necessary for syncing the HCP Vault<br />Application secrets to Kubernetes. |  |  |




#### RolloutRestartTarget



RolloutRestartTarget provides the configuration required to perform a
rollout-restart of the supported resources upon Vault Secret rotation.
The rollout-restart is triggered by patching the target resource's
'spec.template.metadata.annotations' to include 'vso.secrets.hashicorp.com/restartedAt'
with a timestamp value of when the trigger was executed.
E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"


Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout



_Appears in:_
- [HCPVaultSecretsAppSpec](#hcpvaultsecretsappspec)
- [VaultDynamicSecretSpec](#vaultdynamicsecretspec)
- [VaultPKISecretSpec](#vaultpkisecretspec)
- [VaultStaticSecretSpec](#vaultstaticsecretspec)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `kind` _string_ | Kind of the resource |  | Enum: [Deployment DaemonSet StatefulSet argo.Rollout] <br /> |
| `name` _string_ | Name of the resource |  |  |


#### SecretTransformation



SecretTransformation is the Schema for the secrettransformations API



_Appears in:_
- [SecretTransformationList](#secrettransformationlist)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `SecretTransformation` | | |
| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `spec` _[SecretTransformationSpec](#secrettransformationspec)_ |  |  |  |


#### SecretTransformationList



SecretTransformationList contains a list of SecretTransformation





| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `SecretTransformationList` | | |
| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `items` _[SecretTransformation](#secrettransformation) array_ |  |  |  |


#### SecretTransformationSpec



SecretTransformationSpec defines the desired state of SecretTransformation



_Appears in:_
- [SecretTransformation](#secrettransformation)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `templates` _object (keys:string, values:[Template](#template))_ | Templates maps a template name to its Template. Templates are always included<br />in the rendered K8s Secret with the specified key. |  |  |
| `sourceTemplates` _[SourceTemplate](#sourcetemplate) array_ | SourceTemplates are never included in the rendered K8s Secret, they can be<br />used to provide common template definitions, etc. |  |  |
| `includes` _string array_ | Includes contains regex patterns used to filter top-level source secret data<br />fields for inclusion in the final K8s Secret data. These pattern filters are<br />never applied to templated fields as defined in Templates. They are always<br />applied last. |  |  |
| `excludes` _string array_ | Excludes contains regex patterns used to filter top-level source secret data<br />fields for exclusion from the final K8s Secret data. These pattern filters are<br />never applied to templated fields as defined in Templates. They are always<br />applied before any inclusion patterns. To exclude all source secret data<br />fields, you can configure the single pattern ".*". |  |  |




#### SourceTemplate



SourceTemplate provides source templating configuration.



_Appears in:_
- [SecretTransformationSpec](#secrettransformationspec)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `name` _string_ |  |  |  |
| `text` _string_ | Text contains the Go text template format. The template<br />references attributes from the data structure of the source secret.<br />Refer to https://pkg.go.dev/text/template for more information. |  |  |


#### StorageEncryption



StorageEncryption provides the necessary configuration need to encrypt the storage cache
entries using Vault's Transit engine.



_Appears in:_
- [VaultAuthSpec](#vaultauthspec)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `mount` _string_ | Mount path of the Transit engine in Vault. |  |  |
| `keyName` _string_ | KeyName to use for encrypt/decrypt operations via Vault Transit. |  |  |


#### Template



Template provides templating configuration.



_Appears in:_
- [SecretTransformationSpec](#secrettransformationspec)
- [Transformation](#transformation)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `name` _string_ | Name of the Template |  |  |
| `text` _string_ | Text contains the Go text template format. The template<br />references attributes from the data structure of the source secret.<br />Refer to https://pkg.go.dev/text/template for more information. |  |  |


#### TemplateRef



TemplateRef points to templating text that is stored in a
SecretTransformation custom resource.



_Appears in:_
- [TransformationRef](#transformationref)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `name` _string_ | Name of the Template in SecretTransformationSpec.Templates.<br />the rendered secret data. |  |  |
| `keyOverride` _string_ | KeyOverride to the rendered template in the Destination secret. If Key is<br />empty, then the Key from reference spec will be used. Set this to override the<br />Key set from the reference spec. |  |  |


#### Transformation







_Appears in:_
- [Destination](#destination)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `templates` _object (keys:string, values:[Template](#template))_ | Templates maps a template name to its Template. Templates are always included<br />in the rendered K8s Secret, and take precedence over templates defined in a<br />SecretTransformation. |  |  |
| `transformationRefs` _[TransformationRef](#transformationref) array_ | TransformationRefs contain references to template configuration from<br />SecretTransformation. |  |  |
| `includes` _string array_ | Includes contains regex patterns used to filter top-level source secret data<br />fields for inclusion in the final K8s Secret data. These pattern filters are<br />never applied to templated fields as defined in Templates. They are always<br />applied last. |  |  |
| `excludes` _string array_ | Excludes contains regex patterns used to filter top-level source secret data<br />fields for exclusion from the final K8s Secret data. These pattern filters are<br />never applied to templated fields as defined in Templates. They are always<br />applied before any inclusion patterns. To exclude all source secret data<br />fields, you can configure the single pattern ".*". |  |  |
| `excludeRaw` _boolean_ | ExcludeRaw data from the destination Secret. Exclusion policy can be set<br />globally by including 'exclude-raw` in the '--global-transformation-options'<br />command line flag. If set, the command line flag always takes precedence over<br />this configuration. |  |  |


#### TransformationRef



TransformationRef contains the configuration for accessing templates from an
SecretTransformation resource. TransformationRefs can be shared across all
syncable secret custom resources.



_Appears in:_
- [Transformation](#transformation)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `namespace` _string_ | Namespace of the SecretTransformation resource. |  |  |
| `name` _string_ | Name of the SecretTransformation resource. |  |  |
| `templateRefs` _[TemplateRef](#templateref) array_ | TemplateRefs map to a Template found in this TransformationRef. If empty, then<br />all templates from the SecretTransformation will be rendered to the K8s Secret. |  |  |
| `ignoreIncludes` _boolean_ | IgnoreIncludes controls whether to use the SecretTransformation's Includes<br />data key filters. |  |  |
| `ignoreExcludes` _boolean_ | IgnoreExcludes controls whether to use the SecretTransformation's Excludes<br />data key filters. |  |  |


#### VaultAuth



VaultAuth is the Schema for the vaultauths API



_Appears in:_
- [VaultAuthList](#vaultauthlist)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `VaultAuth` | | |
| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `spec` _[VaultAuthSpec](#vaultauthspec)_ |  |  |  |


#### VaultAuthConfigAWS



VaultAuthConfigAWS provides VaultAuth configuration options needed for
authenticating to Vault via an AWS AuthMethod. Will use creds from
`SecretRef` or `IRSAServiceAccount` if provided, in that order. If neither
are provided, the underlying node role or instance profile will be used to
authenticate to Vault.



_Appears in:_
- [VaultAuthSpec](#vaultauthspec)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `role` _string_ | Vault role to use for authenticating |  |  |
| `region` _string_ | AWS Region to use for signing the authentication request |  |  |
| `headerValue` _string_ | The Vault header value to include in the STS signing request |  |  |
| `sessionName` _string_ | The role session name to use when creating a webidentity provider |  |  |
| `stsEndpoint` _string_ | The STS endpoint to use; if not set will use the default |  |  |
| `iamEndpoint` _string_ | The IAM endpoint to use; if not set will use the default |  |  |
| `secretRef` _string_ | SecretRef is the name of a Kubernetes Secret in the consumer's (VDS/VSS/PKI) namespace<br />which holds credentials for AWS. Expected keys include `access_key_id`, `secret_access_key`,<br />`session_token` |  |  |
| `irsaServiceAccount` _string_ | IRSAServiceAccount name to use with IAM Roles for Service Accounts<br />(IRSA), and should be annotated with "eks.amazonaws.com/role-arn". This<br />ServiceAccount will be checked for other EKS annotations:<br />eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration |  |  |


#### VaultAuthConfigAppRole



VaultAuthConfigAppRole provides VaultAuth configuration options needed for authenticating to
Vault via an AppRole AuthMethod.



_Appears in:_
- [VaultAuthSpec](#vaultauthspec)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `roleId` _string_ | RoleID of the AppRole Role to use for authenticating to Vault. |  |  |
| `secretRef` _string_ | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which<br />provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the<br />AppRole Role's secretID. |  |  |


#### VaultAuthConfigGCP



VaultAuthConfigGCP provides VaultAuth configuration options needed for
authenticating to Vault via a GCP AuthMethod, using workload identity



_Appears in:_
- [VaultAuthSpec](#vaultauthspec)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `role` _string_ | Vault role to use for authenticating |  |  |
| `workloadIdentityServiceAccount` _string_ | WorkloadIdentityServiceAccount is the name of a Kubernetes service<br />account (in the same Kubernetes namespace as the Vault*Secret referencing<br />this resource) which has been configured for workload identity in GKE.<br />Should be annotated with "iam.gke.io/gcp-service-account". |  |  |
| `region` _string_ | GCP Region of the GKE cluster's identity provider. Defaults to the region<br />returned from the operator pod's local metadata server. |  |  |
| `clusterName` _string_ | GKE cluster name. Defaults to the cluster-name returned from the operator<br />pod's local metadata server. |  |  |
| `projectID` _string_ | GCP project ID. Defaults to the project-id returned from the operator<br />pod's local metadata server. |  |  |


#### VaultAuthConfigJWT



VaultAuthConfigJWT provides VaultAuth configuration options needed for authenticating to Vault.



_Appears in:_
- [VaultAuthSpec](#vaultauthspec)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `role` _string_ | Role to use for authenticating to Vault. |  |  |
| `secretRef` _string_ | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which<br />provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must<br />have a key named `jwt` which holds the JWT token. |  |  |
| `serviceAccount` _string_ | ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's<br />JWT authentication backend. |  |  |
| `audiences` _string array_ | TokenAudiences to include in the ServiceAccount token. |  |  |
| `tokenExpirationSeconds` _integer_ | TokenExpirationSeconds to set the ServiceAccount token. | 600 | Minimum: 600 <br /> |


#### VaultAuthConfigKubernetes



VaultAuthConfigKubernetes provides VaultAuth configuration options needed for authenticating to Vault.



_Appears in:_
- [VaultAuthSpec](#vaultauthspec)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `role` _string_ | Role to use for authenticating to Vault. |  |  |
| `serviceAccount` _string_ | ServiceAccount to use when authenticating to Vault's<br />authentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace. |  |  |
| `audiences` _string array_ | TokenAudiences to include in the ServiceAccount token. |  |  |
| `tokenExpirationSeconds` _integer_ | TokenExpirationSeconds to set the ServiceAccount token. | 600 | Minimum: 600 <br /> |


#### VaultAuthList



VaultAuthList contains a list of VaultAuth





| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `VaultAuthList` | | |
| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `items` _[VaultAuth](#vaultauth) array_ |  |  |  |


#### VaultAuthSpec



VaultAuthSpec defines the desired state of VaultAuth



_Appears in:_
- [VaultAuth](#vaultauth)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `vaultConnectionRef` _string_ | VaultConnectionRef to the VaultConnection resource, can be prefixed with a namespace,<br />eg: `namespaceA/vaultConnectionRefB`. If no namespace prefix is provided it will default to<br />namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the<br />Operator will default to the `default` VaultConnection, configured in the operator's namespace. |  |  |
| `namespace` _string_ | Namespace to auth to in Vault |  |  |
| `allowedNamespaces` _string array_ | AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod.<br />This field allows administrators to customize which Kubernetes namespaces are authorized to<br />use with this AuthMethod. While Vault will still enforce its own rules, this has the added<br />configurability of restricting which VaultAuthMethods can be used by which namespaces.<br />Accepted values:<br />[]{"*"} - wildcard, all namespaces.<br />[]{"a", "b"} - list of namespaces.<br />unset - disallow all namespaces except the Operator's the VaultAuthMethod's namespace, this<br />is the default behavior. |  |  |
| `method` _string_ | Method to use when authenticating to Vault. |  | Enum: [kubernetes jwt appRole aws gcp] <br /> |
| `mount` _string_ | Mount to use when authenticating to auth method. |  |  |
| `params` _object (keys:string, values:string)_ | Params to use when authenticating to Vault |  |  |
| `headers` _object (keys:string, values:string)_ | Headers to be included in all Vault requests. |  |  |
| `kubernetes` _[VaultAuthConfigKubernetes](#vaultauthconfigkubernetes)_ | Kubernetes specific auth configuration, requires that the Method be set to `kubernetes`. |  |  |
| `appRole` _[VaultAuthConfigAppRole](#vaultauthconfigapprole)_ | AppRole specific auth configuration, requires that the Method be set to `appRole`. |  |  |
| `jwt` _[VaultAuthConfigJWT](#vaultauthconfigjwt)_ | JWT specific auth configuration, requires that the Method be set to `jwt`. |  |  |
| `aws` _[VaultAuthConfigAWS](#vaultauthconfigaws)_ | AWS specific auth configuration, requires that Method be set to `aws`. |  |  |
| `gcp` _[VaultAuthConfigGCP](#vaultauthconfiggcp)_ | GCP specific auth configuration, requires that Method be set to `gcp`. |  |  |
| `storageEncryption` _[StorageEncryption](#storageencryption)_ | StorageEncryption provides the necessary configuration to encrypt the client storage cache.<br />This should only be configured when client cache persistence with encryption is enabled.<br />This is done by passing setting the manager's commandline argument<br />--client-cache-persistence-model=direct-encrypted. Typically, there should only ever<br />be one VaultAuth configured with StorageEncryption in the Cluster, and it should have<br />the label: cacheStorageEncryption=true |  |  |




#### VaultClientMeta



VaultClientMeta defines the observed state of the last Vault Client used to
sync the secret. This status is used during resource reconciliation.



_Appears in:_
- [VaultDynamicSecretStatus](#vaultdynamicsecretstatus)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `cacheKey` _string_ | CacheKey is the unique key used to identify the client cache. |  |  |
| `id` _string_ | ID is the Vault ID of the authenticated client. The ID should never contain<br />any sensitive information. |  |  |


#### VaultConnection



VaultConnection is the Schema for the vaultconnections API



_Appears in:_
- [VaultConnectionList](#vaultconnectionlist)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `VaultConnection` | | |
| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `spec` _[VaultConnectionSpec](#vaultconnectionspec)_ |  |  |  |


#### VaultConnectionList



VaultConnectionList contains a list of VaultConnection





| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `VaultConnectionList` | | |
| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `items` _[VaultConnection](#vaultconnection) array_ |  |  |  |


#### VaultConnectionSpec



VaultConnectionSpec defines the desired state of VaultConnection



_Appears in:_
- [VaultConnection](#vaultconnection)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `address` _string_ | Address of the Vault server |  |  |
| `headers` _object (keys:string, values:string)_ | Headers to be included in all Vault requests. |  |  |
| `tlsServerName` _string_ | TLSServerName to use as the SNI host for TLS connections. |  |  |
| `caCertSecretRef` _string_ | CACertSecretRef is the name of a Kubernetes secret containing the trusted PEM encoded CA certificate chain as `ca.crt`. |  |  |
| `skipTLSVerify` _boolean_ | SkipTLSVerify for TLS connections. | false |  |




#### VaultDynamicSecret



VaultDynamicSecret is the Schema for the vaultdynamicsecrets API



_Appears in:_
- [VaultDynamicSecretList](#vaultdynamicsecretlist)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `VaultDynamicSecret` | | |
| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `spec` _[VaultDynamicSecretSpec](#vaultdynamicsecretspec)_ |  |  |  |


#### VaultDynamicSecretList



VaultDynamicSecretList contains a list of VaultDynamicSecret





| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `VaultDynamicSecretList` | | |
| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `items` _[VaultDynamicSecret](#vaultdynamicsecret) array_ |  |  |  |


#### VaultDynamicSecretSpec



VaultDynamicSecretSpec defines the desired state of VaultDynamicSecret



_Appears in:_
- [VaultDynamicSecret](#vaultdynamicsecret)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `vaultAuthRef` _string_ | VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace,<br />eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to<br />namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will<br />default to the `default` VaultAuth, configured in the operator's namespace. |  |  |
| `namespace` _string_ | Namespace where the secrets engine is mounted in Vault. |  |  |
| `mount` _string_ | Mount path of the secret's engine in Vault. |  |  |
| `requestHTTPMethod` _string_ | RequestHTTPMethod to use when syncing Secrets from Vault.<br />Setting a value here is not typically required.<br />If left unset the Operator will make requests using the GET method.<br />In the case where Params are specified the Operator will use the PUT method.<br />Please consult [secrets](/vault/docs/secrets) if you are<br />uncertain about what method to use.<br />Of note, the Vault client treats PUT and POST as being equivalent.<br />The underlying Vault client implementation will always use the PUT method. |  | Enum: [GET POST PUT] <br /> |
| `path` _string_ | Path in Vault to get the credentials for, and is relative to Mount.<br />Please consult [secrets](/vault/docs/secrets) if you are<br />uncertain about what 'path' should be set to. |  |  |
| `params` _object (keys:string, values:string)_ | Params that can be passed when requesting credentials/secrets.<br />When Params is set the configured RequestHTTPMethod will be<br />ignored. See RequestHTTPMethod for more details.<br />Please consult [secrets](/vault/docs/secrets) if you are<br />uncertain about what 'params' should/can be set to. |  |  |
| `renewalPercent` _integer_ | RenewalPercent is the percent out of 100 of the lease duration when the<br />lease is renewed. Defaults to 67 percent plus jitter. | 67 | Maximum: 90 <br />Minimum: 0 <br /> |
| `revoke` _boolean_ | Revoke the existing lease on VDS resource deletion. |  |  |
| `allowStaticCreds` _boolean_ | AllowStaticCreds should be set when syncing credentials that are periodically<br />rotated by the Vault server, rather than created upon request. These secrets<br />are sometimes referred to as "static roles", or "static credentials", with a<br />request path that contains "static-creds". |  |  |
| `rolloutRestartTargets` _[RolloutRestartTarget](#rolloutrestarttarget) array_ | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does<br />not support dynamically reloading a rotated secret.<br />In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will<br />trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.<br />See RolloutRestartTarget for more details. |  |  |
| `destination` _[Destination](#destination)_ | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. |  |  |
| `refreshAfter` _string_ | RefreshAfter a period of time for VSO to sync the source secret data, in<br />duration notation e.g. 30s, 1m, 24h. This value only needs to be set when<br />syncing from a secret's engine that does not provide a lease TTL in its<br />response. The value should be within the secret engine's configured ttl or<br />max_ttl. The source secret's lease duration takes precedence over this<br />configuration when it is greater than 0. |  | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$` <br />Type: string <br /> |




#### VaultPKISecret



VaultPKISecret is the Schema for the vaultpkisecrets API



_Appears in:_
- [VaultPKISecretList](#vaultpkisecretlist)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `VaultPKISecret` | | |
| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `spec` _[VaultPKISecretSpec](#vaultpkisecretspec)_ |  |  |  |


#### VaultPKISecretList



VaultPKISecretList contains a list of VaultPKISecret





| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `VaultPKISecretList` | | |
| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `items` _[VaultPKISecret](#vaultpkisecret) array_ |  |  |  |


#### VaultPKISecretSpec



VaultPKISecretSpec defines the desired state of VaultPKISecret



_Appears in:_
- [VaultPKISecret](#vaultpkisecret)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `vaultAuthRef` _string_ | VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace,<br />eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to<br />namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will<br />default to the `default` VaultAuth, configured in the operator's namespace. |  |  |
| `namespace` _string_ | Namespace to get the secret from in Vault |  |  |
| `mount` _string_ | Mount for the secret in Vault |  |  |
| `role` _string_ | Role in Vault to use when issuing TLS certificates. |  |  |
| `revoke` _boolean_ | Revoke the certificate when the resource is deleted. |  |  |
| `clear` _boolean_ | Clear the Kubernetes secret when the resource is deleted. |  |  |
| `expiryOffset` _string_ | ExpiryOffset to use for computing when the certificate should be renewed.<br />The rotation time will be difference between the expiration and the offset.<br />Should be in duration notation e.g. 30s, 120s, etc. |  | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$` <br />Type: string <br /> |
| `issuerRef` _string_ | IssuerRef reference to an existing PKI issuer, either by Vault-generated<br />identifier, the literal string default to refer to the currently<br />configured default issuer, or the name assigned to an issuer.<br />This parameter is part of the request URL. |  |  |
| `rolloutRestartTargets` _[RolloutRestartTarget](#rolloutrestarttarget) array_ | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does<br />not support dynamically reloading a rotated secret.<br />In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will<br />trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.<br />See RolloutRestartTarget for more details. |  |  |
| `destination` _[Destination](#destination)_ | Destination provides configuration necessary for syncing the Vault secret<br />to Kubernetes. If the type is set to "kubernetes.io/tls", "tls.key" will<br />be set to the "private_key" response from Vault, and "tls.crt" will be<br />set to "certificate" + "ca_chain" from the Vault response ("issuing_ca"<br />is used when "ca_chain" is empty). The "remove_roots_from_chain=true"<br />option is used with Vault to exclude the root CA from the Vault response. |  |  |
| `commonName` _string_ | CommonName to include in the request. |  |  |
| `altNames` _string array_ | AltNames to include in the request<br />May contain both DNS names and email addresses. |  |  |
| `ipSans` _string array_ | IPSans to include in the request. |  |  |
| `uriSans` _string array_ | The requested URI SANs. |  |  |
| `otherSans` _string array_ | Requested other SANs, in an array with the format<br />oid;type:value for each entry. |  |  |
| `userIDs` _string array_ | User ID (OID 0.9.2342.19200300.100.1.1) Subject values to be placed on the<br />signed certificate. |  |  |
| `ttl` _string_ | TTL for the certificate; sets the expiration date.<br />If not specified the Vault role's default,<br />backend default, or system default TTL is used, in that order.<br />Cannot be larger than the mount's max TTL.<br />Note: this only has an effect when generating a CA cert or signing a CA cert,<br />not when generating a CSR for an intermediate CA.<br />Should be in duration notation e.g. 120s, 2h, etc. |  | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$` <br />Type: string <br /> |
| `format` _string_ | Format for the certificate. Choices: "pem", "der", "pem_bundle".<br />If "pem_bundle",<br />any private key and issuing cert will be appended to the certificate pem.<br />If "der", the value will be base64 encoded.<br />Default: pem |  |  |
| `privateKeyFormat` _string_ | PrivateKeyFormat, generally the default will be controlled by the Format<br />parameter as either base64-encoded DER or PEM-encoded DER.<br />However, this can be set to "pkcs8" to have the returned<br />private key contain base64-encoded pkcs8 or PEM-encoded<br />pkcs8 instead.<br />Default: der |  |  |
| `notAfter` _string_ | NotAfter field of the certificate with specified date value.<br />The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ |  |  |
| `excludeCNFromSans` _boolean_ | ExcludeCNFromSans from DNS or Email Subject Alternate Names.<br />Default: false |  |  |




#### VaultSecretLease







_Appears in:_
- [VaultDynamicSecretStatus](#vaultdynamicsecretstatus)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `id` _string_ | ID of the Vault secret. |  |  |
| `duration` _integer_ | LeaseDuration of the Vault secret. |  |  |
| `renewable` _boolean_ | Renewable Vault secret lease |  |  |
| `requestID` _string_ | RequestID of the Vault secret request. |  |  |


#### VaultStaticCredsMetaData







_Appears in:_
- [VaultDynamicSecretStatus](#vaultdynamicsecretstatus)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `lastVaultRotation` _integer_ | LastVaultRotation represents the last time Vault rotated the password |  |  |
| `rotationPeriod` _integer_ | RotationPeriod is number in seconds between each rotation, effectively a<br />"time to live". This value is compared to the LastVaultRotation to<br />determine if a password needs to be rotated |  |  |
| `rotationSchedule` _string_ | RotationSchedule is a "cron style" string representing the allowed<br />schedule for each rotation.<br />e.g. "1 0 * * *" would rotate at one minute past midnight (00:01) every<br />day. |  |  |
| `ttl` _integer_ | TTL is the seconds remaining before the next rotation. |  |  |


#### VaultStaticSecret



VaultStaticSecret is the Schema for the vaultstaticsecrets API



_Appears in:_
- [VaultStaticSecretList](#vaultstaticsecretlist)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `VaultStaticSecret` | | |
| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `spec` _[VaultStaticSecretSpec](#vaultstaticsecretspec)_ |  |  |  |


#### VaultStaticSecretList



VaultStaticSecretList contains a list of VaultStaticSecret





| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `apiVersion` _string_ | `secrets.hashicorp.com/v1beta1` | | |
| `kind` _string_ | `VaultStaticSecretList` | | |
| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
| `items` _[VaultStaticSecret](#vaultstaticsecret) array_ |  |  |  |


#### VaultStaticSecretSpec



VaultStaticSecretSpec defines the desired state of VaultStaticSecret



_Appears in:_
- [VaultStaticSecret](#vaultstaticsecret)

| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `vaultAuthRef` _string_ | VaultAuthRef to the VaultAuth resource, can be prefixed with a namespace,<br />eg: `namespaceA/vaultAuthRefB`. If no namespace prefix is provided it will default to<br />namespace of the VaultAuth CR. If no value is specified for VaultAuthRef the Operator will<br />default to the `default` VaultAuth, configured in the operator's namespace. |  |  |
| `namespace` _string_ | Namespace to get the secret from in Vault |  |  |
| `mount` _string_ | Mount for the secret in Vault |  |  |
| `path` _string_ | Path of the secret in Vault, corresponds to the `path` parameter for,<br />[kv-v1](/vault/api-docs/secret/kv/kv-v1#read-secret) [kv-v2](/vault/api-docs/secret/kv/kv-v2#read-secret-version) |  |  |
| `version` _integer_ | Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter:<br />[version](/vault/api-docs/secret/kv/kv-v2#version) |  | Minimum: 0 <br /> |
| `type` _string_ | Type of the Vault static secret |  | Enum: [kv-v1 kv-v2] <br /> |
| `refreshAfter` _string_ | RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h |  | Pattern: `^([0-9]+(\.[0-9]+)?(s|m|h))$` <br />Type: string <br /> |
| `hmacSecretData` _boolean_ | HMACSecretData determines whether the Operator computes the<br />HMAC of the Secret's data. The MAC value will be stored in<br />the resource's Status.SecretMac field, and will be used for drift detection<br />and during incoming Vault secret comparison.<br />Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault. | true |  |
| `rolloutRestartTargets` _[RolloutRestartTarget](#rolloutrestarttarget) array_ | RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does<br />not support dynamically reloading a rotated secret.<br />In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will<br />trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.<br />All configured targets wil be ignored if HMACSecretData is set to false.<br />See RolloutRestartTarget for more details. |  |  |
| `destination` _[Destination](#destination)_ | Destination provides configuration necessary for syncing the Vault secret to Kubernetes. |  |  |