kubernetes¶

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

class pulumi_vault.kubernetes.AuthBackendConfig(resource_name, opts=None, backend=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, pem_keys=None, token_reviewer_jwt=None, __props__=None, __name__=None, __opts__=None)¶

Manages an Kubernetes auth backend config in a Vault server. See the Vault documentation for more information.

import pulumi
import pulumi_vault as vault

kubernetes = vault.AuthBackend("kubernetes", type="kubernetes")
example = vault.kubernetes.AuthBackendConfig("example",
    backend=kubernetes.path,
    issuer="api",
    kubernetes_ca_cert="""-----BEGIN CERTIFICATE-----
example
-----END CERTIFICATE-----
""",
    kubernetes_host="http://example.com:443",
    token_reviewer_jwt="ZXhhbXBsZQo=")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
backend (pulumi.Input[str]) – Unique name of the kubernetes backend to configure.
issuer (pulumi.Input[str]) – Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetes_ca_cert (pulumi.Input[str]) – PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetes_host (pulumi.Input[str]) – Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
pem_keys (pulumi.Input[list]) – List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
token_reviewer_jwt (pulumi.Input[str]) – A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

backend: pulumi.Output[str] = None¶: Unique name of the kubernetes backend to configure.

issuer: pulumi.Output[str] = None¶: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.

kubernetes_ca_cert: pulumi.Output[str] = None¶: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

kubernetes_host: pulumi.Output[str] = None¶: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

pem_keys: pulumi.Output[list] = None¶: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

token_reviewer_jwt: pulumi.Output[str] = None¶: A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

static get(resource_name, id, opts=None, backend=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, pem_keys=None, token_reviewer_jwt=None)¶

Get an existing AuthBackendConfig resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
backend (pulumi.Input[str]) – Unique name of the kubernetes backend to configure.
issuer (pulumi.Input[str]) – Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetes_ca_cert (pulumi.Input[str]) – PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetes_host (pulumi.Input[str]) – Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
pem_keys (pulumi.Input[list]) – List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
token_reviewer_jwt (pulumi.Input[str]) – A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_vault.kubernetes.AuthBackendRole(resource_name, opts=None, audience=None, backend=None, bound_cidrs=None, bound_service_account_names=None, bound_service_account_namespaces=None, max_ttl=None, num_uses=None, period=None, policies=None, role_name=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None, __props__=None, __name__=None, __opts__=None)¶

Manages an Kubernetes auth backend role in a Vault server. See the Vault documentation for more information.

import pulumi
import pulumi_vault as vault

kubernetes = vault.AuthBackend("kubernetes", type="kubernetes")
example = vault.kubernetes.AuthBackendRole("example",
    backend=kubernetes.path,
    role_name="example-role",
    bound_service_account_names=["example"],
    bound_service_account_namespaces=["example"],
    token_ttl=3600,
    token_policies=[
        "default",
        "dev",
        "prod",
    ],
    audience="vault")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
audience (pulumi.Input[str]) – Audience claim to verify in the JWT.
backend (pulumi.Input[str]) – Unique name of the kubernetes backend to configure.
bound_cidrs (pulumi.Input[list]) – If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.
bound_service_account_names (pulumi.Input[list]) – List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be “*”.
bound_service_account_namespaces (pulumi.Input[list]) – List of namespaces allowed to access this role. If set to `[“”]``all namespaces are allowed, both this and bound_service_account_names can not be set to “”.
max_ttl (pulumi.Input[float]) – The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.
num_uses (pulumi.Input[float]) – If set, puts a use-count limitation on the issued token.
period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
policies (pulumi.Input[list]) – An array of strings specifying the policies to be set on tokens issued using this role.
role_name (pulumi.Input[str]) – Name of the role.
token_bound_cidrs (pulumi.Input[list]) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
token_explicit_max_ttl (pulumi.Input[float]) – If set, will encode an [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) onto the token in number of seconds. This is a hard cap even if``token_ttlandtoken_max_ttl``would otherwise allow a renewal.
token_max_ttl (pulumi.Input[float]) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
token_no_default_policy (pulumi.Input[bool]) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
token_num_uses (pulumi.Input[float]) – The [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), if any, in number of seconds to set on the token.
token_period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
token_policies (pulumi.Input[list]) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
token_ttl (pulumi.Input[float]) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
token_type (pulumi.Input[str]) – The type of token that should be generated. Can be``service,batch, ordefaultto use the mount's tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batch` which specify the type to return unless the client requests a different type at generation time.
ttl (pulumi.Input[float]) – The TTL period of tokens issued using this role, provided as a number of seconds.

audience: pulumi.Output[str] = None¶: Audience claim to verify in the JWT.

backend: pulumi.Output[str] = None¶: Unique name of the kubernetes backend to configure.

bound_cidrs: pulumi.Output[list] = None¶: If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.

bound_service_account_names: pulumi.Output[list] = None¶: List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be “*”.

bound_service_account_namespaces: pulumi.Output[list] = None¶: List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to “*”.

max_ttl: pulumi.Output[float] = None¶: The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

num_uses: pulumi.Output[float] = None¶: If set, puts a use-count limitation on the issued token.

period: pulumi.Output[float] = None¶: If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

policies: pulumi.Output[list] = None¶: An array of strings specifying the policies to be set on tokens issued using this role.

role_name: pulumi.Output[str] = None¶: Name of the role.

token_bound_cidrs: pulumi.Output[list] = None¶: List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

token_explicit_max_ttl: pulumi.Output[float] = None¶: If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

token_max_ttl: pulumi.Output[float] = None¶: The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_no_default_policy: pulumi.Output[bool] = None¶: If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

token_num_uses: pulumi.Output[float] = None¶: The period, if any, in number of seconds to set on the token.

token_period: pulumi.Output[float] = None¶: If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

token_policies: pulumi.Output[list] = None¶: List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

token_ttl: pulumi.Output[float] = None¶: The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_type: pulumi.Output[str] = None¶: The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

ttl: pulumi.Output[float] = None¶: The TTL period of tokens issued using this role, provided as a number of seconds.

static get(resource_name, id, opts=None, audience=None, backend=None, bound_cidrs=None, bound_service_account_names=None, bound_service_account_namespaces=None, max_ttl=None, num_uses=None, period=None, policies=None, role_name=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None)¶

Get an existing AuthBackendRole resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
audience (pulumi.Input[str]) – Audience claim to verify in the JWT.
backend (pulumi.Input[str]) – Unique name of the kubernetes backend to configure.
bound_cidrs (pulumi.Input[list]) – If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.
bound_service_account_names (pulumi.Input[list]) – List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be “*”.
bound_service_account_namespaces (pulumi.Input[list]) – List of namespaces allowed to access this role. If set to `[“”]``all namespaces are allowed, both this and bound_service_account_names can not be set to “”.
max_ttl (pulumi.Input[float]) – The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.
num_uses (pulumi.Input[float]) – If set, puts a use-count limitation on the issued token.
period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
policies (pulumi.Input[list]) – An array of strings specifying the policies to be set on tokens issued using this role.
role_name (pulumi.Input[str]) – Name of the role.
token_bound_cidrs (pulumi.Input[list]) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
token_explicit_max_ttl (pulumi.Input[float]) – If set, will encode an [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) onto the token in number of seconds. This is a hard cap even if``token_ttlandtoken_max_ttl``would otherwise allow a renewal.
token_max_ttl (pulumi.Input[float]) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
token_no_default_policy (pulumi.Input[bool]) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
token_num_uses (pulumi.Input[float]) – The [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), if any, in number of seconds to set on the token.
token_period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
token_policies (pulumi.Input[list]) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
token_ttl (pulumi.Input[float]) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
token_type (pulumi.Input[str]) – The type of token that should be generated. Can be``service,batch, ordefaultto use the mount's tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batch` which specify the type to return unless the client requests a different type at generation time.
ttl (pulumi.Input[float]) – The TTL period of tokens issued using this role, provided as a number of seconds.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_vault.kubernetes.AwaitableGetAuthBackendConfigResult(backend=None, id=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, pem_keys=None)¶

class pulumi_vault.kubernetes.AwaitableGetAuthBackendRoleResult(audience=None, backend=None, bound_cidrs=None, bound_service_account_names=None, bound_service_account_namespaces=None, id=None, max_ttl=None, num_uses=None, period=None, policies=None, role_name=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None)¶

class pulumi_vault.kubernetes.GetAuthBackendConfigResult(backend=None, id=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, pem_keys=None)¶

A collection of values returned by getAuthBackendConfig.

id = None¶: The provider-assigned unique ID for this managed resource.

issuer = None¶: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.

kubernetes_ca_cert = None¶: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

kubernetes_host = None¶: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

pem_keys = None¶: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

class pulumi_vault.kubernetes.GetAuthBackendRoleResult(audience=None, backend=None, bound_cidrs=None, bound_service_account_names=None, bound_service_account_namespaces=None, id=None, max_ttl=None, num_uses=None, period=None, policies=None, role_name=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None)¶

A collection of values returned by getAuthBackendRole.

audience = None¶: (Optional) Audience claim to verify in the JWT.

bound_service_account_names = None¶: List of service account names able to access this role. If set to “” all names are allowed, both this and bound_service_account_namespaces can not be “”.

bound_service_account_namespaces = None¶: List of namespaces allowed to access this role. If set to “” all namespaces are allowed, both this and bound_service_account_names can not be set to “”.

id = None¶: The provider-assigned unique ID for this managed resource.

token_bound_cidrs = None¶: List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

token_explicit_max_ttl = None¶: If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

token_max_ttl = None¶: The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_no_default_policy = None¶: If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

token_num_uses = None¶: The period, if any, in number of seconds to set on the token.

token_period = None¶: (Optional) If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

token_policies = None¶: List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

token_ttl = None¶: The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_type = None¶: The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

pulumi_vault.kubernetes.get_auth_backend_config(backend=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, pem_keys=None, opts=None)¶

Reads the Role of an Kubernetes from a Vault server. See the Vault documentation for more information.

Parameters

backend (str) – The unique name for the Kubernetes backend the config to retrieve Role attributes for resides in. Defaults to “kubernetes”.
issuer (str) – Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetes_ca_cert (str) – PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetes_host (str) – Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
pem_keys (list) – Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

pulumi_vault.kubernetes.get_auth_backend_role(audience=None, backend=None, bound_cidrs=None, max_ttl=None, num_uses=None, period=None, policies=None, role_name=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None, opts=None)¶

Reads the Role of an Kubernetes from a Vault server. See the Vault documentation for more information.

import pulumi
import pulumi_vault as vault

role = vault.kubernetes.get_auth_backend_role(backend="my-kubernetes-backend",
    role_name="my-role")
pulumi.export("policies", role.policies)

Parameters

audience (str) – (Optional) Audience claim to verify in the JWT.
backend (str) – The unique name for the Kubernetes backend the role to retrieve Role attributes for resides in. Defaults to “kubernetes”.
role_name (str) – The name of the role to retrieve the Role attributes for.
token_bound_cidrs (list) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
token_explicit_max_ttl (float) –
If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.
token_max_ttl (float) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
token_no_default_policy (bool) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
token_num_uses (float) –
The period, if any, in number of seconds to set on the token.
token_period (float) – (Optional) If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
token_policies (list) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
token_ttl (float) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
token_type (str) – The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

kubernetes¶

On This Page