pulumi-vault-kotlin/com.pulumi.vault.kubernetes.kotlin/AuthBackendConfigArgs

AuthBackendConfigArgs

data class AuthBackendConfigArgs(val backend: Output<String>? = null, val disableIssValidation: Output<Boolean>? = null, val disableLocalCaJwt: Output<Boolean>? = null, val issuer: Output<String>? = null, val kubernetesCaCert: Output<String>? = null, val kubernetesHost: Output<String>? = null, val namespace: Output<String>? = null, val pemKeys: Output<List<String>>? = null, val tokenReviewerJwt: Output<String>? = null, val useAnnotationsAsAliasMetadata: Output<Boolean>? = null) : ConvertibleToJava<AuthBackendConfigArgs>

Manages an Kubernetes auth backend config in a Vault server. See the [Vault

  • documentation](https://www.vaultproject.io/docs/auth/kubernetes.html) for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const kubernetes = new vault.AuthBackend("kubernetes", {type: "kubernetes"});
const example = new vault.kubernetes.AuthBackendConfig("example", {
    backend: kubernetes.path,
    kubernetesHost: "http://example.com:443",
    kubernetesCaCert: `-----BEGIN CERTIFICATE-----
example
-----END CERTIFICATE-----`,
    tokenReviewerJwt: "ZXhhbXBsZQo=",
    issuer: "api",
    disableIssValidation: true,
});
Content copied to clipboard
import pulumi
import pulumi_vault as vault
kubernetes = vault.AuthBackend("kubernetes", type="kubernetes")
example = vault.kubernetes.AuthBackendConfig("example",
    backend=kubernetes.path,
    kubernetes_host="http://example.com:443",
    kubernetes_ca_cert="""-----BEGIN CERTIFICATE-----
example
-----END CERTIFICATE-----""",
    token_reviewer_jwt="ZXhhbXBsZQo=",
    issuer="api",
    disable_iss_validation=True)
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
    var kubernetes = new Vault.AuthBackend("kubernetes", new()
    {
        Type = "kubernetes",
    });
    var example = new Vault.Kubernetes.AuthBackendConfig("example", new()
    {
        Backend = kubernetes.Path,
        KubernetesHost = "http://example.com:443",
        KubernetesCaCert = @"-----BEGIN CERTIFICATE-----
example
-----END CERTIFICATE-----",
        TokenReviewerJwt = "ZXhhbXBsZQo=",
        Issuer = "api",
        DisableIssValidation = true,
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		kubernetes, err := vault.NewAuthBackend(ctx, "kubernetes", &vault.AuthBackendArgs{
			Type: pulumi.String("kubernetes"),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewAuthBackendConfig(ctx, "example", &kubernetes.AuthBackendConfigArgs{
			Backend:              kubernetes.Path,
			KubernetesHost:       pulumi.String("http://example.com:443"),
			KubernetesCaCert:     pulumi.String("-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----"),
			TokenReviewerJwt:     pulumi.String("ZXhhbXBsZQo="),
			Issuer:               pulumi.String("api"),
			DisableIssValidation: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.kubernetes.AuthBackendConfig;
import com.pulumi.vault.kubernetes.AuthBackendConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var kubernetes = new AuthBackend("kubernetes", AuthBackendArgs.builder()
            .type("kubernetes")
            .build());
        var example = new AuthBackendConfig("example", AuthBackendConfigArgs.builder()
            .backend(kubernetes.path())
            .kubernetesHost("http://example.com:443")
            .kubernetesCaCert("""
-----BEGIN CERTIFICATE-----
example
-----END CERTIFICATE-----            """)
            .tokenReviewerJwt("ZXhhbXBsZQo=")
            .issuer("api")
            .disableIssValidation(true)
            .build());
    }
}
Content copied to clipboard
resources:
  kubernetes:
    type: vault:AuthBackend
    properties:
      type: kubernetes
  example:
    type: vault:kubernetes:AuthBackendConfig
    properties:
      backend: ${kubernetes.path}
      kubernetesHost: http://example.com:443
      kubernetesCaCert: |-
        -----BEGIN CERTIFICATE-----
        example
        -----END CERTIFICATE-----
      tokenReviewerJwt: ZXhhbXBsZQo=
      issuer: api
      disableIssValidation: 'true'
Content copied to clipboard

Import

Kubernetes authentication backend can be imported using the path, e.g.

$ pulumi import vault:kubernetes/authBackendConfig:AuthBackendConfig config auth/kubernetes/config
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(backend: Output<String>? = null, disableIssValidation: Output<Boolean>? = null, disableLocalCaJwt: Output<Boolean>? = null, issuer: Output<String>? = null, kubernetesCaCert: Output<String>? = null, kubernetesHost: Output<String>? = null, namespace: Output<String>? = null, pemKeys: Output<List<String>>? = null, tokenReviewerJwt: Output<String>? = null, useAnnotationsAsAliasMetadata: Output<Boolean>? = null)

Properties

Link copied to clipboard
val backend: Output<String>? = null

Unique name of the kubernetes backend to configure.

Link copied to clipboard
val disableIssValidation: Output<Boolean>? = null

Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+

Link copied to clipboard
val disableLocalCaJwt: Output<Boolean>? = null

Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+

Link copied to clipboard
val issuer: Output<String>? = null

JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.

Link copied to clipboard
val kubernetesCaCert: Output<String>? = null

PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

Link copied to clipboard
val kubernetesHost: Output<String>? = null

Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

Link copied to clipboard
val namespace: Output<String>? = null

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

Link copied to clipboard
val pemKeys: Output<List<String>>? = null

List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

Link copied to clipboard
val tokenReviewerJwt: Output<String>? = null

A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

Link copied to clipboard
val useAnnotationsAsAliasMetadata: Output<Boolean>? = null

Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+

Functions

Link copied to clipboard
open override fun toJava(): AuthBackendConfigArgs