keymanagement.oracle.com/v1beta1¶
APIVersion: keymanagement.oracle.com/v1beta1
This content is generated from the checked-in CRD schemas in config/crd/bases/. If a description is missing or incorrect, fix the source comments or generator inputs and rerun make generate manifests; do not hand-edit config/crd/bases/*.yaml.
Packages¶
No customer-visible package currently exposes keymanagement.oracle.com/v1beta1.
Resources¶
| Kind | Scope | Sample | Packages |
|---|---|---|---|
| EkmsPrivateEndpoint | Namespaced | Sample | - |
| Vault | Namespaced | Sample | - |
EkmsPrivateEndpoint¶
EkmsPrivateEndpoint is the Schema for the ekmsprivateendpoints API.
Plural:ekmsprivateendpointsScope:NamespacedAPIVersion:keymanagement.oracle.com/v1beta1Sample: Sample (config/samples/keymanagement_v1beta1_ekmsprivateendpoint.yaml)Packages: Not currently exposed by a customer-visible package.
Spec¶
EkmsPrivateEndpointSpec defines the desired state of EkmsPrivateEndpoint.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
caBundle |
CABundle to validate TLS certificate of the external key manager system in PEM format | string |
Yes | - | - |
compartmentId |
Compartment identifier. | string |
Yes | - | - |
definedTags |
Usage of predefined tag keys. These predefined keys are scoped to namespaces. Example: {"foo-namespace": {"bar-key": "value"}} |
map[string, map[string, string]] |
No | - | - |
displayName |
Display name of the EKMS private endpoint resource being created. | string |
Yes | - | - |
externalKeyManagerIp |
External private IP to connect to from this EKMS private endpoint | string |
Yes | - | - |
freeformTags |
Simple key-value pair that is applied without any predefined name, type, or scope. Exists for cross-compatibility only. Example: {"bar-key": "value"} |
map[string, string] |
No | - | - |
port |
The port of the external key manager system | integer |
No | - | - |
subnetId |
The OCID of subnet in which the EKMS private endpoint is to be created | string |
Yes | - | - |
Status¶
EkmsPrivateEndpointStatus defines the observed state of EkmsPrivateEndpoint.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
caBundle |
CABundle to validate TLS certificate of the external key manager system in PEM format | string |
No | - | - |
compartmentId |
Compartment Identifier. | string |
No | - | - |
definedTags |
Usage of predefined tag keys. These predefined keys are scoped to namespaces. Example: {"foo-namespace": {"bar-key": "value"}} |
map[string, map[string, string]] |
No | - | - |
displayName |
EKMS Private Endpoint display name | string |
No | - | - |
externalKeyManagerIp |
Private IP of the external key manager system to connect to from the EKMS private endpoint | string |
No | - | - |
freeformTags |
Simple key-value pair that is applied without any predefined name, type, or scope. Exists for cross-compatibility only. Example: {"bar-key": "value"} |
map[string, string] |
No | - | - |
id |
Unique identifier that is immutable | string |
No | - | - |
lifecycleDetails |
A message describing the current state in more detail. For example, can be used to provide actionable information for a resource in 'Failed' state. | string |
No | - | - |
lifecycleState |
The current state of the EKMS private endpoint resource. | string |
No | - | - |
port |
The port of the external key manager system | integer |
No | - | - |
privateEndpointIp |
The IP address in the customer's VCN for the EKMS private endpoint. This is taken from subnet | string |
No | - | - |
status |
- | object |
Yes | - | - |
subnetId |
Subnet Identifier | string |
No | - | - |
timeCreated |
The time the EKMS private endpoint was created. An RFC3339 (https://tools.ietf.org/html/rfc3339) formatted datetime string. | string |
No | - | - |
timeUpdated |
The time the EKMS private endpoint was updated. An RFC3339 (https://tools.ietf.org/html/rfc3339) formatted datetime string. | string |
No | - | - |
Status.status¶
Back to EkmsPrivateEndpoint status
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
async |
Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first. | object |
No | - | - |
conditions |
- | list[object] |
No | - | - |
createdAt |
- | string (date-time) |
No | - | - |
deletedAt |
- | string (date-time) |
No | - | - |
message |
- | string |
No | - | - |
ocid |
- | string |
No | - | - |
opcRequestId |
OpcRequestID is the latest non-empty OCI request ID from a mutating OCI response or surfaced OCI service error that materially contributed to the current shared status projection. Headerless follow-up observations keep the last non-empty value intact. | string |
No | - | - |
reason |
- | string |
No | - | - |
requestedAt |
- | string (date-time) |
No | - | - |
updatedAt |
- | string (date-time) |
No | - | - |
Status.status.async¶
Back to EkmsPrivateEndpoint status
Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
current |
- | object |
No | - | - |
Status.status.async.current¶
Back to EkmsPrivateEndpoint status
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
message |
- | string |
No | - | - |
normalizedClass |
- | string |
Yes | - | attention, canceled, failed, pending, succeeded, unknown |
percentComplete |
- | number |
No | - | - |
phase |
- | string |
Yes | - | create, delete, update |
rawOperationType |
- | string |
No | - | - |
rawStatus |
- | string |
No | - | - |
source |
- | string |
Yes | - | lifecycle, none, workrequest |
updatedAt |
- | string (date-time) |
Yes | - | - |
workRequestId |
- | string |
No | - | - |
Status.status.conditions[]¶
Back to EkmsPrivateEndpoint status
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
lastTransitionTime |
- | string (date-time) |
No | - | - |
message |
- | string |
No | - | - |
reason |
- | string |
No | - | - |
status |
- | string |
Yes | - | - |
type |
- | string |
Yes | - | - |
Vault¶
Manage OCI Vault resources and their scheduled deletion lifecycle.
Plural:vaultsScope:NamespacedAPIVersion:keymanagement.oracle.com/v1beta1Sample: Sample (config/samples/keymanagement_v1beta1_vault.yaml)Packages: Not currently exposed by a customer-visible package.
Spec¶
VaultSpec defines the desired state of Vault.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
compartmentId |
The OCID of the compartment where you want to create this vault. | string |
Yes | - | - |
definedTags |
Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} |
map[string, map[string, string]] |
No | - | - |
deletionScheduleDays |
The number of days to retain the Vault after OCI deletion has been scheduled. Set a value from 7 to 30 to control the retention window used when Vault deletion is scheduled. | integer (int32) |
No | - | - |
displayName |
A user-friendly name for the vault. It does not have to be unique, and it is changeable. Avoid entering confidential information. | string |
Yes | - | - |
externalKeyManagerMetadata |
VaultExternalKeyManagerMetadata defines nested fields for Vault.ExternalKeyManagerMetadata. | object |
No | - | - |
freeformTags |
Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} |
map[string, string] |
No | - | - |
vaultType |
The type of vault to create. Each type of vault stores the key with different degrees of isolation and has different options and pricing. | string |
Yes | - | - |
Spec.externalKeyManagerMetadata¶
VaultExternalKeyManagerMetadata defines nested fields for Vault.ExternalKeyManagerMetadata.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
externalVaultEndpointUrl |
URI of the vault on external key manager. | string |
Yes | - | - |
oauthMetadata |
VaultExternalKeyManagerMetadataOauthMetadata defines nested fields for Vault.ExternalKeyManagerMetadata.OauthMetadata. | object |
Yes | - | - |
privateEndpointId |
OCID of private endpoint created by customer. | string |
Yes | - | - |
Spec.externalKeyManagerMetadata.oauthMetadata¶
VaultExternalKeyManagerMetadataOauthMetadata defines nested fields for Vault.ExternalKeyManagerMetadata.OauthMetadata.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
clientAppId |
ID of the client app created in IDP. | string |
Yes | - | - |
clientAppSecret |
Secret of the client app created in IDP. | string |
Yes | - | - |
idcsAccountNameUrl |
Base URL of the IDCS account where confidential client app is created. | string |
Yes | - | - |
Status¶
VaultStatus defines the observed state of Vault.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
compartmentId |
The OCID of the compartment that contains this vault. | string |
No | - | - |
cryptoEndpoint |
The service endpoint to perform cryptographic operations against. Cryptographic operations include Encrypt (https://docs.oracle.com/iaas/api/#/en/key/latest/EncryptedData/Encrypt), Decrypt (https://docs.oracle.com/iaas/api/#/en/key/latest/DecryptedData/Decrypt), and GenerateDataEncryptionKey (https://docs.oracle.com/iaas/api/#/en/key/latest/GeneratedKey/GenerateDataEncryptionKey) operations. | string |
No | - | - |
definedTags |
Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} |
map[string, map[string, string]] |
No | - | - |
displayName |
A user-friendly name for the vault. It does not have to be unique, and it is changeable. Avoid entering confidential information. | string |
No | - | - |
externalKeyManagerMetadataSummary |
VaultExternalKeyManagerMetadataSummary defines nested fields for Vault.ExternalKeyManagerMetadataSummary. | object |
No | - | - |
freeformTags |
Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} |
map[string, string] |
No | - | - |
id |
The OCID of the vault. | string |
No | - | - |
isPrimary |
A Boolean value that indicates whether the Vault is primary Vault or replica Vault. | boolean |
No | - | - |
isVaultReplicable |
A Boolean value that indicates whether the Vault has cross region replication capability. Always true for Virtual Private Vaults. | boolean |
No | - | - |
lifecycleState |
The vault's current lifecycle state. Example: DELETED |
string |
No | - | - |
managementEndpoint |
The service endpoint to perform management operations against. Management operations include "Create," "Update," "List," "Get," and "Delete" operations. | string |
No | - | - |
replicaDetails |
VaultReplicaDetails defines nested fields for Vault.ReplicaDetails. | object |
No | - | - |
requestedDeletionScheduleDays |
The retention period in days last applied when Vault deletion was scheduled. | integer (int32) |
No | - | - |
restoredFromVaultId |
The OCID of the vault from which this vault was restored, if it was restored from a backup file. If you restore a vault to the same region, the vault retains the same OCID that it had when you backed up the vault. | string |
No | - | - |
status |
- | object |
Yes | - | - |
timeCreated |
The date and time this vault was created, expressed in RFC 3339 (https://tools.ietf.org/html/rfc3339) timestamp format. Example: 2018-04-03T21:10:29.600Z |
string |
No | - | - |
timeOfDeletion |
An optional property to indicate when to delete the vault, expressed in RFC 3339 (https://tools.ietf.org/html/rfc3339) timestamp format. Example: 2018-04-03T21:10:29.600Z |
string |
No | - | - |
vaultType |
The type of vault. Each type of vault stores the key with different degrees of isolation and has different options and pricing. | string |
No | - | - |
wrappingkeyId |
The OCID of the vault's wrapping key. | string |
No | - | - |
Status.externalKeyManagerMetadataSummary¶
VaultExternalKeyManagerMetadataSummary defines nested fields for Vault.ExternalKeyManagerMetadataSummary.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
externalVaultEndpointUrl |
URL of the vault on external key manager. | string |
No | - | - |
oauthMetadataSummary |
VaultExternalKeyManagerMetadataSummaryOauthMetadataSummary defines nested fields for Vault.ExternalKeyManagerMetadataSummary.OauthMetadataSummary. | object |
No | - | - |
privateEndpointId |
OCID of the private endpoint. | string |
No | - | - |
vendor |
Vendor of the external key manager. | string |
No | - | - |
Status.externalKeyManagerMetadataSummary.oauthMetadataSummary¶
VaultExternalKeyManagerMetadataSummaryOauthMetadataSummary defines nested fields for Vault.ExternalKeyManagerMetadataSummary.OauthMetadataSummary.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
clientAppId |
ID of the client app created in IDP. | string |
No | - | - |
idcsAccountNameUrl |
Base URL of the IDCS account where confidential client app is created. | string |
No | - | - |
Status.replicaDetails¶
VaultReplicaDetails defines nested fields for Vault.ReplicaDetails.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
replicationId |
ReplicationId associated with a vault operation | string |
No | - | - |
Status.status¶
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
async |
Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first. | object |
No | - | - |
conditions |
- | list[object] |
No | - | - |
createdAt |
- | string (date-time) |
No | - | - |
deletedAt |
- | string (date-time) |
No | - | - |
message |
- | string |
No | - | - |
ocid |
- | string |
No | - | - |
opcRequestId |
OpcRequestID is the latest non-empty OCI request ID from a mutating OCI response or surfaced OCI service error that materially contributed to the current shared status projection. Headerless follow-up observations keep the last non-empty value intact. | string |
No | - | - |
reason |
- | string |
No | - | - |
requestedAt |
- | string (date-time) |
No | - | - |
updatedAt |
- | string (date-time) |
No | - | - |
Status.status.async¶
Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first.
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
current |
- | object |
No | - | - |
Status.status.async.current¶
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
message |
- | string |
No | - | - |
normalizedClass |
- | string |
Yes | - | attention, canceled, failed, pending, succeeded, unknown |
percentComplete |
- | number |
No | - | - |
phase |
- | string |
Yes | - | create, delete, update |
rawOperationType |
- | string |
No | - | - |
rawStatus |
- | string |
No | - | - |
source |
- | string |
Yes | - | lifecycle, none, workrequest |
updatedAt |
- | string (date-time) |
Yes | - | - |
workRequestId |
- | string |
No | - | - |
Status.status.conditions[]¶
| Field | Description | Type | Required | Default | Enum |
|---|---|---|---|---|---|
lastTransitionTime |
- | string (date-time) |
No | - | - |
message |
- | string |
No | - | - |
reason |
- | string |
No | - | - |
status |
- | string |
Yes | - | - |
type |
- | string |
Yes | - | - |