@@ -168,59 +168,154 @@ spec:
168168 managing the lifecyle of the encryption keys outside of the control plane.
169169 This allows integration with an external provider to manage the data encryption keys securely.
170170properties :
171- aws :
171+ type :
172+ description : |-
173+ type defines the kind of platform for the KMS provider.
174+ Valid values are:
175+ - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled)
176+ enum :
177+ - Vault
178+ type : string
179+ vault :
172180 description : |-
173- aws defines the key config for using an AWS KMS instance
174- for the encryption. The AWS KMS instance is managed
175- by the user outside the purview of the control plane.
181+ vault defines the key config for using a HashiCorp Vault KMS instance
182+ for encryption. The Vault KMS instance is managed by the user outside
183+ the purview of the control plane.
184+ This field must be set when type is Vault, and must be unset otherwise.
176185properties :
177- keyARN :
186+ approleSecretRef :
187+ description : |-
188+ approleSecretRef references a secret in the openshift-config namespace containing
189+ the AppRole credentials used to authenticate with Vault.
190+ The secret must contain the following keys:
191+ - "roleID": The AppRole Role ID
192+ - "secretID": The AppRole Secret ID
193+
194+ The namespace for the secret referenced by approleSecretRef is openshift-config.
195+ properties :
196+ name :
197+ description : name is the metadata.name of the referenced
198+ secret
199+ type : string
200+ required :
201+ - name
202+ type : object
203+ tlsCA :
178204 description : |-
179- keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
180- The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
181- - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
182- - `<account_id>` is a 12-digit numeric identifier for the AWS account.
183- - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
184- maxLength : 128
205+ tlsCA is a reference to a ConfigMap in the openshift-config namespace containing
206+ the CA certificate bundle used to verify the TLS connection to the Vault server.
207+ The ConfigMap must contain the CA bundle in the key "ca-bundle.crt".
208+ When this field is not set, the system's trusted CA certificates are used.
209+
210+ The namespace for the ConfigMap referenced by tlsCA is openshift-config.
211+
212+ Example ConfigMap:
213+ apiVersion: v1
214+ kind: ConfigMap
215+ metadata:
216+ name: vault-ca-bundle
217+ namespace: openshift-config
218+ data:
219+ ca-bundle.crt: |
220+ -----BEGIN CERTIFICATE-----
221+ ...
222+ -----END CERTIFICATE-----
223+ properties :
224+ name :
225+ description : name is the metadata.name of the referenced
226+ config map
227+ type : string
228+ required :
229+ - name
230+ type : object
231+ tlsServerName :
232+ description : |-
233+ tlsServerName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS.
234+ This is useful when the Vault server's hostname doesn't match its TLS certificate.
235+ When this field is not set, no SNI value is sent during the TLS connection.
236+ maxLength : 253
185237 minLength : 1
186238 type : string
187- x-kubernetes-validations :
188- - message : keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
189- The account ID must be a 12 digit number and the region
190- and key ID should consist only of lowercase hexadecimal
191- characters and hyphens (-).
192- rule : self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
193- region :
239+ tlsVerify :
240+ default : Verify
241+ description : |-
242+ tlsVerify controls whether the KMS plugin verifies the Vault server's TLS certificate.
243+ Valid values are:
244+ - "Verify": (default) TLS certificate verification is enabled. This is the secure option and should be used in production.
245+ - "SkipVerify": TLS certificate verification is skipped. This option is insecure and should only be used in development or testing environments.
246+ When this field is not set, it defaults to "Verify".
247+ enum :
248+ - Verify
249+ - SkipVerify
250+ type : string
251+ transitKey :
252+ description : |-
253+ transitKey specifies the name of the encryption key in Vault's Transit engine.
254+ This key is used to encrypt and decrypt data.
255+ The value must be between 1 and 128 characters.
256+ type : string
257+ transitMount :
258+ default : transit
194259 description : |-
195- region specifies the AWS region where the KMS instance exists, and follows the format
196- `<region-prefix>-<region-name>-<number>`, e.g.: `us-east-1`.
197- Only lowercase letters and hyphens followed by numbers are allowed.
198- maxLength : 64
260+ transitMount specifies the mount path of the Vault Transit engine.
261+ The value can be between 1 and 128 characters.
262+ When this field is not set, it defaults to "transit".
263+ type : string
264+ vaultAddress :
265+ description : |-
266+ vaultAddress specifies the address of the HashiCorp Vault instance.
267+ The value must be a valid URL with scheme (http:// or https://) and can be up to 512 characters.
268+ Example: https://vault.example.com:8200
269+ maxLength : 512
199270 minLength : 1
200271 type : string
201272 x-kubernetes-validations :
202- - message : region must be a valid AWS region, consisting
203- of lowercase characters, digits and hyphens (-) only.
204- rule : self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')
273+ - message : vaultAddress must be a valid URL starting with
274+ ' http://' or 'https://' (e.g., 'https://vault.example.com:8200').
275+ rule : self.matches(r'^https?://')
276+ vaultKMSPluginImage :
277+ description : |-
278+ vaultKMSPluginImage specifies the container image for the HashiCorp Vault KMS plugin.
279+ The image must be specified using a digest reference (not a tag).
280+
281+ Consult the OpenShift documentation for compatible plugin versions with your cluster version,
282+ then obtain the image digest for that version from HashiCorp's container registry.
283+
284+ For disconnected environments, mirror the plugin image to an accessible registry and
285+ reference the mirrored location with its digest.
286+
287+ The minimum length is 75 characters (e.g., "r/i@sha256:" + 64 hex characters).
288+ The maximum length is 512 characters to accommodate long registry names and repository paths.
289+ maxLength : 512
290+ minLength : 75
291+ type : string
292+ x-kubernetes-validations :
293+ - message : vaultKMSPluginImage must be a valid image reference
294+ with a SHA256 digest (e.g., 'registry.example.com/vault-plugin@sha256:0123...abcd').
295+ Use '@sha256:<64-character-hex-digest>' instead of
296+ image tags like ':latest' or ':v1.0.0'.
297+ rule : self.matches(r'^([a-zA-Z0-9.-]+)(:[0-9]+)?/[a-zA-Z0-9./-]+@sha256:[a-f0-9]{64}$')
298+ vaultNamespace :
299+ description : |-
300+ vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted.
301+ This is only applicable for Vault Enterprise installations.
302+ The value can be between 1 and 256 characters.
303+ When this field is not set, no namespace is used.
304+ type : string
205305 required :
206- - keyARN
207- - region
306+ - approleSecretRef
307+ - transitKey
308+ - vaultAddress
309+ - vaultKMSPluginImage
208310 type : object
209- type :
210- description : |-
211- type defines the kind of platform for the KMS provider.
212- Available provider types are AWS only.
213- enum :
214- - AWS
215- type : string
216311 required :
217312 - type
218313 type : object
219314 x-kubernetes-validations :
220- - message : aws config is required when kms provider type is AWS,
221- and forbidden otherwise
222- rule : ' has(self.type) && self.type == '' AWS '' ? has(self.aws )
223- : !has(self.aws )'
315+ - message : vault config is required when kms provider type is
316+ Vault, and forbidden otherwise
317+ rule : ' has(self.type) && self.type == '' Vault '' ? ( has(self.vault )
318+ && self.vault.vaultAddress != "") : !has(self.vault )'
224319 type :
225320 description : |-
226321 type defines what encryption type should be used to encrypt resources at the datastore layer.
@@ -245,8 +340,8 @@ spec:
245340 type : string
246341 type : object
247342 x-kubernetes-validations :
248- - message : kms config is required when encryption type is KMS, and
249- forbidden otherwise
343+ - message : kms config is required when encryption type is KMS and
344+ KMSEncryption feature gate is enabled, and forbidden otherwise
250345 rule : ' has(self.type) && self.type == '' KMS'' ? has(self.kms) :
251346 !has(self.kms)'
252347 servingCerts :
0 commit comments