AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    KubeStash New

    Backup and Recovery Solution for Kubernetes

    Stash

    Backup and Recovery Solution for Kubernetes

    KubeVault

    Run Production-Grade Vault on Kubernetes

    Voyager

    Secure Ingress Controller for Kubernetes

    ConfigSyncer

    Kubernetes Configuration Syncer

    Guard

    Kubernetes Authentication WebHook Server

    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • check-boxLower administrative burden
    • check-boxNative Kubernetes Support
    • check-boxPerformance
    • check-boxAvailability and durability
    • check-boxManageability
    • check-boxCost-effectiveness
    • check-boxSecurity
    kubestash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • check-boxDeclarative API
    • check-boxBackup Kubernetes Volumes
    • check-boxBackup Database
    • check-boxMultiple Storage Support
    • check-boxDeduplication
    • check-boxData Encryption
    • check-boxVolume Snapshot
    • check-boxPolicy Based Backup
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • check-boxDeclarative API
    • check-boxBackup Kubernetes Volumes
    • check-boxBackup Database
    • check-boxMultiple Storage Support
    • check-boxDeduplication
    • check-boxData Encryption
    • check-boxVolume Snapshot
    • check-boxPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • check-boxVault Kubernetes Deployment
    • check-boxAuto Initialization & Unsealing
    • check-boxVault Backup & Restore
    • check-boxConsume KubeVault Secrets with CSI
    • check-boxManage DB Users Privileges
    • check-boxStorage Backend
    • check-boxAuthentication Method
    • check-boxDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • check-boxHTTP & TCP
    • check-boxSSL
    • check-boxPlatform support
    • check-boxHAProxy
    • check-boxPrometheus
    • check-boxLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • check-boxConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • check-boxIdentity Providers
    • check-boxCLI
    • check-boxRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
KubeVault
github-icon twitterx-icon
TRY NOW FREE
  • Welcome
  • Concepts
  • Setup
  • Guides
  • Vault Operator
    KubeVault CLI
    Vault Unsealer

New to KubeVault? Please start here.

PKIRole

What is PKIRole

An PKIRole is a Kubernetes CustomResourceDefinition (CRD) which allows a user to create PKI secret engine role in a Kubernetes native way.

When an PKIRole is created, the KubeVault operator configures a Vault role that maps to a set of permissions in PKI as well as an PKI credential type. When users generate credentials, they are generated against this role. If the user deletes the PKIRole CRD, then the respective role will also be deleted from Vault.

PKIRole CRD

PKIRole CRD Specification

Like any official Kubernetes resource, a PKIRole object has TypeMeta, ObjectMeta, Spec and Status sections.

A sample PKIRole object is shown below:

apiVersion: engine.kubevault.com/v1alpha1
kind: PKIRole
metadata:
  name: pki-role
  namespace: demo
spec:
  secretEngineRef:
    name: pki-secret-engine
  allowedDomains:
    - "kubevault.com"
  allowSubdomains: true
  maxTTL: "720h"
  additionalPayload:
    "allow_ip_sans": "true"

Note: To resolve the naming conflict, name of the role in Vault will follow this format: k8s.{clusterName}.{metadata.namespace}.{metadata.name}

Here, we are going to describe the various sections of the PKIRole crd.

PKIRole Spec

PKIRole spec contains role information.

spec:
  secretEngineRef:
    name: <secret-engine-name>
  allowedDomains: <allowed domain names>
  allowSubdomains: <true>
  defaultTTL: <default-TTL>
  maxTTL: <max-TTL>
  additionalPayload:
    "key": "value"

PKIRole spec has the following fields:

spec.secretEngineRef

spec.secretEngineRef is a required field that specifies the name of a SecretEngine.

spec:
  secretEngineRef:
    name: pki-secret-engine

spec.allowedDomains

spec.allowedDomains is a required field that specifies the domains this role is allowed to issue certificates for

spec:
  allowedDomains:
    - "kubevault.com"

spec.allowSubdomains

spec.allowSubdomains is an optional field that specifies the if subdomains is allowed.

spec:
  allowSubdomains: true

spec.defaultTTL

spec.defaultTTL is an optional field that specifies the default TTL for certificates.

spec:
  maxTTL: "1h"

spec.maxTTL

spec.maxTTL is an optional field that specifies the max allowed TTL for certificates.

spec:
  maxTTL: "1h"

spec.additionalPayload

spec.additionalPayload is an optional field which can used to provide any key value of vault-api which will be used to create the role.

spec:
  additionalPayload:
    "key1": "value1"
    "key2": "value2"

PKIRole Status

status shows the status of the PKIRole. It is managed by the KubeVault operator. It contains the following fields:

  • observedGeneration: Specifies the most recent generation observed for this resource. It corresponds to the resource’s generation, which is updated on mutation by the API Server.

  • phase: Indicates whether the role successfully applied to Vault or not.

  • conditions : Represent observations of an PKIRole.

What's on this Page

Search
Improve This Page