Manifests¶
At the heart of Vault Autopilot is the manifest file, a declarative configuration file that defines the desired state of your Vault infrastructure. Manifests provide a clear and concise way to specify the resources you want to create, update, or delete in Vault, including secrets, policies, and secrets engines. By using manifests, you can version control your Vault configuration, track changes, and collaborate with team members. Vault Autopilot then uses these manifests to automatically apply the required changes to your Vault infrastructure, ensuring that your desired state is consistently maintained.
Available resources¶
Vault Autopilot supports a range of resources that can be defined in manifest files, allowing you to manage your Vault infrastructure with ease.
Secrets Engines¶
A Secrets Engine provides declarative updates for Secrets Engine in Vault.
Creating a Secrets Engine¶
kind: SecretsEngine
spec:
path: kv
engine:
type: kv-v2
In this example, we’re defining a Secrets Engine with a path of kv and
specifying the kv-v2 engine type.
Available keys¶
Warning
Currently, only secrets engines of type kv-v2 or pki are supported.
Support for other engine types may be added in future releases.
{
"$defs": {
"KvV2EngineOptions": {
"properties": {
"description": {
"title": "Description",
"type": "string"
},
"config": {
"$ref": "#/$defs/SecretsEngineConfig"
},
"local": {
"title": "Local",
"type": "boolean"
},
"sealWrap": {
"title": "Sealwrap",
"type": "boolean"
},
"externalEntropyAccess": {
"title": "Externalentropyaccess",
"type": "boolean"
},
"type": {
"const": "kv-v2",
"enum": [
"kv-v2"
],
"title": "Type",
"type": "string"
},
"options": {
"$ref": "#/$defs/KvV2Options"
},
"casRequired": {
"title": "Casrequired",
"type": "boolean"
},
"deleteVersionAfter": {
"title": "Deleteversionafter",
"type": "string"
},
"maxVersions": {
"title": "Maxversions",
"type": "integer"
}
},
"required": [
"type"
],
"title": "KvV2EngineOptions",
"type": "object"
},
"KvV2Options": {
"properties": {
"version": {
"title": "Version",
"type": "string"
}
},
"title": "KvV2Options",
"type": "object"
},
"PKIEngineOptions": {
"properties": {
"description": {
"title": "Description",
"type": "string"
},
"config": {
"$ref": "#/$defs/SecretsEngineConfig"
},
"local": {
"title": "Local",
"type": "boolean"
},
"sealWrap": {
"title": "Sealwrap",
"type": "boolean"
},
"externalEntropyAccess": {
"title": "Externalentropyaccess",
"type": "boolean"
},
"type": {
"const": "pki",
"enum": [
"pki"
],
"title": "Type",
"type": "string"
}
},
"required": [
"type"
],
"title": "PKIEngineOptions",
"type": "object"
},
"SecretsEngineConfig": {
"properties": {
"defaultLeaseTtl": {
"title": "Defaultleasettl",
"type": "integer"
},
"maxLeaseTtl": {
"title": "Maxleasettl",
"type": "integer"
},
"auditNonHmacRequestKeys": {
"items": {
"type": "string"
},
"title": "Auditnonhmacrequestkeys",
"type": "array"
},
"auditNonHmacResponseKeys": {
"items": {
"type": "string"
},
"title": "Auditnonhmacresponsekeys",
"type": "array"
},
"listingVisibility": {
"enum": [
"unauth",
"hidden"
],
"title": "Listingvisibility",
"type": "string"
},
"passthroughRequestHeaders": {
"items": {
"type": "string"
},
"title": "Passthroughrequestheaders",
"type": "array"
},
"allowedResponseHeaders": {
"items": {
"type": "string"
},
"title": "Allowedresponseheaders",
"type": "array"
},
"allowedManagedKeys": {
"items": {
"type": "string"
},
"title": "Allowedmanagedkeys",
"type": "array"
},
"pluginVersion": {
"title": "Pluginversion",
"type": "string"
},
"delegatedAuthAccessors": {
"items": {
"type": "string"
},
"title": "Delegatedauthaccessors",
"type": "array"
},
"identityTokenKey": {
"title": "Identitytokenkey",
"type": "string"
},
"forceNoCache": {
"title": "Forcenocache",
"type": "boolean"
}
},
"title": "SecretsEngineConfig",
"type": "object"
},
"Spec": {
"properties": {
"path": {
"title": "Path",
"type": "string"
},
"engine": {
"discriminator": {
"mapping": {
"kv-v2": "#/$defs/KvV2EngineOptions",
"pki": "#/$defs/PKIEngineOptions"
},
"propertyName": "type"
},
"oneOf": [
{
"$ref": "#/$defs/PKIEngineOptions"
},
{
"$ref": "#/$defs/KvV2EngineOptions"
}
],
"title": "Engine"
}
},
"required": [
"path",
"engine"
],
"title": "Spec",
"type": "object"
}
},
"additionalProperties": false,
"properties": {
"kind": {
"const": "SecretsEngine",
"default": "SecretsEngine",
"enum": [
"SecretsEngine"
],
"title": "Kind",
"type": "string"
},
"spec": {
"$ref": "#/$defs/Spec"
}
},
"required": [
"spec"
],
"title": "SecretsEngineApplyDTO",
"type": "object"
}
Issuers¶
An Issuer is responsible for providing declarative updates to the Vault PKI Certificate Authority. Using the vault-autopilot CLI, you can manage both root and intermediate issuers.
By default, any Issuer resource that doesn’t have a
chaining field is treated as a root Issuer. In other words, if you don’t
specify a chaining field, the system assumes you’re creating a root Issuer.
Creating a root Issuer¶
kind: Issuer
spec:
name: root-2024
secretsEngineRef: pki
certificate:
type: internal
commonName: "example.com Root Authority"
ttl: "87600h"
Creating an intermediate Issuer¶
kind: Issuer
spec:
name: intmd-2024
secretsEngineRef: pki_int
certificate:
type: internal
commonName: "example.com Intermediate Authority"
ttl: "43800h"
chaining:
upstreamIssuerRef: "pki/root-2024"
The upstreamIssuerRef field is a reference to the parent Issuer that signed
the current Issuer’s certificate, pointing to the Issuer’s mount point and
name, like pki/root-2024, which says ‘find the Issuer named root-2024
in the pki secrets engine’.
Available keys¶
{
"$defs": {
"Certificate": {
"properties": {
"commonName": {
"title": "Commonname",
"type": "string"
},
"altNames": {
"title": "Altnames",
"type": "string"
},
"ipSans": {
"title": "Ipsans",
"type": "string"
},
"uriSans": {
"title": "Urisans",
"type": "string"
},
"otherSans": {
"title": "Othersans",
"type": "string"
},
"ttl": {
"title": "Ttl",
"type": "string"
},
"maxPathLength": {
"title": "Maxpathlength",
"type": "integer"
},
"excludeCnFromSans": {
"title": "Excludecnfromsans",
"type": "boolean"
},
"permittedDnsDomains": {
"title": "Permitteddnsdomains",
"type": "string"
},
"ou": {
"title": "Ou",
"type": "string"
},
"organization": {
"title": "Organization",
"type": "string"
},
"country": {
"title": "Country",
"type": "string"
},
"locality": {
"title": "Locality",
"type": "string"
},
"province": {
"title": "Province",
"type": "string"
},
"streetAddress": {
"title": "Streetaddress",
"type": "string"
},
"postalCode": {
"title": "Postalcode",
"type": "string"
},
"serialNumber": {
"title": "Serialnumber",
"type": "string"
},
"notBeforeDuration": {
"title": "Notbeforeduration",
"type": "string"
},
"notAfter": {
"title": "Notafter",
"type": "string"
},
"type": {
"enum": [
"internal",
"exported",
"existing",
"kms"
],
"title": "Type",
"type": "string"
},
"keyName": {
"title": "Keyname",
"type": "string"
},
"keyRef": {
"title": "Keyref",
"type": "string"
},
"keyType": {
"enum": [
"rsa",
"ed25519",
"ec"
],
"title": "Keytype",
"type": "string"
},
"keyBits": {
"title": "Keybits",
"type": "integer"
},
"managedKeyName": {
"title": "Managedkeyname",
"type": "string"
},
"managedKeyId": {
"title": "Managedkeyid",
"type": "string"
}
},
"required": [
"commonName",
"type"
],
"title": "Certificate",
"type": "object"
},
"Chaining": {
"properties": {
"upstreamIssuerRef": {
"title": "Upstreamissuerref",
"type": "string"
},
"signatureBits": {
"title": "Signaturebits",
"type": "integer"
},
"skid": {
"title": "Skid",
"type": "string"
},
"usePss": {
"title": "Usepss",
"type": "boolean"
},
"addBasicConstraints": {
"title": "Addbasicconstraints",
"type": "boolean"
}
},
"required": [
"upstreamIssuerRef"
],
"title": "Chaining",
"type": "object"
},
"Options": {
"properties": {
"leafNotAfterBehavior": {
"enum": [
"err",
"truncate",
"permit"
],
"title": "Leafnotafterbehavior",
"type": "string"
},
"manualChain": {
"maxItems": 1,
"minItems": 1,
"prefixItems": [
{
"type": "string"
}
],
"title": "Manualchain",
"type": "array"
},
"usage": {
"title": "Usage",
"type": "string"
},
"revocationSignatureAlgorithm": {
"enum": [
"MD5WithRSA",
"SHA1WithRSA",
"SHA256WithRSA",
"SHA384WithRSA",
"SHA512WithRSA",
"ECDSAWithSHA1",
"ECDSAWithSHA256",
"ECDSAWithSHA384",
"ECDSAWithSHA512",
"SHA256WithRSAPSS",
"SHA384WithRSAPSS",
"SHA512WithRSAPSS",
"PureEd25519"
],
"title": "Revocationsignaturealgorithm",
"type": "string"
},
"issuingCertificates": {
"maxItems": 1,
"minItems": 1,
"prefixItems": [
{
"type": "string"
}
],
"title": "Issuingcertificates",
"type": "array"
},
"crlDistributionPoints": {
"maxItems": 1,
"minItems": 1,
"prefixItems": [
{
"type": "string"
}
],
"title": "Crldistributionpoints",
"type": "array"
},
"ocspServers": {
"maxItems": 1,
"minItems": 1,
"prefixItems": [
{
"type": "string"
}
],
"title": "Ocspservers",
"type": "array"
},
"enableAiaUrlTemplating": {
"title": "Enableaiaurltemplating",
"type": "boolean"
}
},
"title": "Options",
"type": "object"
},
"Spec": {
"properties": {
"name": {
"title": "Name",
"type": "string"
},
"secretsEngineRef": {
"title": "Secretsengineref",
"type": "string"
},
"certificate": {
"$ref": "#/$defs/Certificate"
},
"options": {
"$ref": "#/$defs/Options"
},
"chaining": {
"$ref": "#/$defs/Chaining"
}
},
"required": [
"name",
"secretsEngineRef",
"certificate"
],
"title": "Spec",
"type": "object"
}
},
"additionalProperties": false,
"properties": {
"kind": {
"const": "Issuer",
"default": "Issuer",
"enum": [
"Issuer"
],
"title": "Kind",
"type": "string"
},
"spec": {
"$ref": "#/$defs/Spec"
}
},
"required": [
"spec"
],
"title": "IssuerApplyDTO",
"type": "object"
}
PKI Roles¶
A PKI Role provides declarative updates for PKI roles in Vault.
Creating a PKI Role¶
kind: PKIRole
spec:
name: example
secretsEngineRef: pki
role:
issuerRef: root-2024
allowedDomains: "example.com"
allowSubdomains: true
maxTtl: "720h"
This example creates a PKI Role in Vault with the following configuration:
The role uses the
root-2024issuer reference.Certificates can only be issued for the “example.com” domain, and subdomains are also allowed.
The maximum time to live (TTL) for certificates issued by this role is 30 days (720 hours).
Available keys¶
{
"$defs": {
"PKIRoleFields": {
"properties": {
"issuerRef": {
"title": "Issuerref",
"type": "string"
},
"ttl": {
"title": "Ttl",
"type": "integer"
},
"maxTtl": {
"title": "Maxttl",
"type": "integer"
},
"allowLocalhost": {
"title": "Allowlocalhost",
"type": "boolean"
},
"allowedDomains": {
"items": {
"type": "string"
},
"title": "Alloweddomains",
"type": "array"
},
"allowedDomainsTemplate": {
"title": "Alloweddomainstemplate",
"type": "boolean"
},
"allowBareDomains": {
"title": "Allowbaredomains",
"type": "boolean"
},
"allowSubdomains": {
"title": "Allowsubdomains",
"type": "boolean"
},
"allowGlobDomains": {
"title": "Allowglobdomains",
"type": "boolean"
},
"allowWildcardCertificates": {
"title": "Allowwildcardcertificates",
"type": "boolean"
},
"allowAnyName": {
"title": "Allowanyname",
"type": "boolean"
},
"enforceHostnames": {
"title": "Enforcehostnames",
"type": "boolean"
},
"allowIpSans": {
"title": "Allowipsans",
"type": "boolean"
},
"allowedUriSans": {
"items": {
"type": "string"
},
"title": "Allowedurisans",
"type": "array"
},
"allowedUriSansTemplate": {
"title": "Allowedurisanstemplate",
"type": "boolean"
},
"allowedOtherSans": {
"items": {
"type": "string"
},
"title": "Allowedothersans",
"type": "array"
},
"allowedSerialNumbers": {
"items": {
"type": "string"
},
"title": "Allowedserialnumbers",
"type": "array"
},
"serverFlag": {
"title": "Serverflag",
"type": "boolean"
},
"clientFlag": {
"title": "Clientflag",
"type": "boolean"
},
"codeSigningFlag": {
"title": "Codesigningflag",
"type": "boolean"
},
"emailProtectionFlag": {
"title": "Emailprotectionflag",
"type": "boolean"
},
"keyType": {
"enum": [
"rsa",
"ed25519",
"ec"
],
"title": "Keytype",
"type": "string"
},
"keyBits": {
"title": "Keybits",
"type": "integer"
},
"signatureBits": {
"title": "Signaturebits",
"type": "integer"
},
"usePss": {
"title": "Usepss",
"type": "boolean"
},
"keyUsage": {
"items": {
"enum": [
"DigitalSignature",
"KeyAgreement",
"KeyEncipherment"
],
"type": "string"
},
"title": "Keyusage",
"type": "array",
"uniqueItems": true
},
"extKeyUsage": {
"items": {
"enum": [
"ServerAuth",
"ClientAuth",
"CodeSigning",
"EmailProtection",
"IPSECEndSystem",
"IPSECTunnel",
"IPSECUser",
"TimeStamping",
"OCSPSigning",
"MicrosoftServerGatedCrypto",
"NetscapeServerGatedCrypto",
"MicrosoftCommercialCodeSigning",
"MicrosoftKernelCodeSigning"
],
"type": "string"
},
"title": "Extkeyusage",
"type": "array",
"uniqueItems": true
},
"extKeyUsageOids": {
"items": {
"type": "string"
},
"title": "Extkeyusageoids",
"type": "array"
},
"useCsrCommonName": {
"title": "Usecsrcommonname",
"type": "boolean"
},
"useCsrSans": {
"title": "Usecsrsans",
"type": "boolean"
},
"ou": {
"items": {
"type": "string"
},
"title": "Ou",
"type": "array"
},
"organization": {
"items": {
"type": "string"
},
"title": "Organization",
"type": "array"
},
"country": {
"items": {
"type": "string"
},
"title": "Country",
"type": "array"
},
"locality": {
"items": {
"type": "string"
},
"title": "Locality",
"type": "array"
},
"province": {
"items": {
"type": "string"
},
"title": "Province",
"type": "array"
},
"streetAddress": {
"items": {
"type": "string"
},
"title": "Streetaddress",
"type": "array"
},
"postalCode": {
"items": {
"type": "string"
},
"title": "Postalcode",
"type": "array"
},
"generateLease": {
"title": "Generatelease",
"type": "boolean"
},
"noStore": {
"title": "Nostore",
"type": "boolean"
},
"requireCn": {
"title": "Requirecn",
"type": "boolean"
},
"policyIdentifiers": {
"items": {
"type": "string"
},
"title": "Policyidentifiers",
"type": "array",
"uniqueItems": true
},
"basicConstraintsValidForNonCa": {
"title": "Basicconstraintsvalidfornonca",
"type": "boolean"
},
"notBeforeDuration": {
"title": "Notbeforeduration",
"type": "integer"
},
"notAfter": {
"title": "Notafter",
"type": "string"
},
"cnValidations": {
"items": {
"type": "string"
},
"title": "Cnvalidations",
"type": "array",
"uniqueItems": true
},
"allowedUserIds": {
"items": {
"type": "string"
},
"title": "Alloweduserids",
"type": "array"
},
"allowTokenDisplayname": {
"title": "Allowtokendisplayname",
"type": "boolean"
}
},
"required": [
"issuerRef"
],
"title": "PKIRoleFields",
"type": "object"
},
"Spec": {
"properties": {
"name": {
"title": "Name",
"type": "string"
},
"role": {
"$ref": "#/$defs/PKIRoleFields"
}
},
"required": [
"name",
"role"
],
"title": "Spec",
"type": "object"
}
},
"additionalProperties": false,
"properties": {
"kind": {
"const": "PKIRole",
"default": "PKIRole",
"enum": [
"PKIRole"
],
"title": "Kind",
"type": "string"
},
"spec": {
"$ref": "#/$defs/Spec"
}
},
"required": [
"spec"
],
"title": "PKIRoleApplyDTO",
"type": "object"
}
SSH Keys¶
An SSH Key provides declarative updates for secrets in Vault.
Creating an SSH Key¶
Here’s an example of how to create an SSH Key:
kind: SSHKey
spec:
path: id_rsa
secretsEngineRef: kv
keyOptions:
type: rsa
bits: 4096
privateKey:
secretKey: private_key
publicKey:
secretKey: public_key
version: 1
In this example, we’re creating an SSH Key with the following properties:
The path for the secret (SSH Key) is specified as
id_rsa.The
keyOptionssection defines the type and size of the key, in this case, an RSA key with 4096 bits.The
privateKeyandpublicKeysections specify the secret keys where the private and public keys will be stored, respectively.The version is set to 1, indicating the version of the SSH Key. You can bump this version number when you want to regenerate the SSH key pair, allowing you to easily manage and rotate your SSH keys.
Available keys¶
{
"$defs": {
"ECOptions": {
"properties": {
"type": {
"const": "ec",
"enum": [
"ec"
],
"title": "Type",
"type": "string"
},
"curve": {
"enum": [
"prime192v1",
"prime256v1",
"secp256r1",
"secp384r1",
"secp521r1"
],
"title": "Curve",
"type": "string"
}
},
"required": [
"type",
"curve"
],
"title": "ECOptions",
"type": "object"
},
"ED25519Options": {
"properties": {
"type": {
"const": "ed25519",
"enum": [
"ed25519"
],
"title": "Type",
"type": "string"
}
},
"required": [
"type"
],
"title": "ED25519Options",
"type": "object"
},
"Encoding": {
"enum": [
"PEM",
"DER",
"OpenSSH",
"Raw",
"ANSI X9.62",
"S/MIME"
],
"title": "Encoding",
"type": "string"
},
"PrivateFormat": {
"enum": [
"PKCS8",
"TraditionalOpenSSL",
"Raw",
"OpenSSH",
"PKCS12"
],
"title": "PrivateFormat",
"type": "string"
},
"PrivateKey": {
"properties": {
"secretKey": {
"title": "Secretkey",
"type": "string"
},
"encoding": {
"$ref": "#/$defs/Encoding"
},
"format": {
"$ref": "#/$defs/PrivateFormat"
}
},
"title": "PrivateKey",
"type": "object"
},
"PublicFormat": {
"enum": [
"X.509 subjectPublicKeyInfo with PKCS#1",
"Raw PKCS#1",
"OpenSSH",
"Raw",
"X9.62 Compressed Point",
"X9.62 Uncompressed Point"
],
"title": "PublicFormat",
"type": "string"
},
"PublicKey": {
"properties": {
"secretKey": {
"title": "Secretkey",
"type": "string"
},
"encoding": {
"$ref": "#/$defs/Encoding"
},
"format": {
"$ref": "#/$defs/PublicFormat"
}
},
"title": "PublicKey",
"type": "object"
},
"RSAOptions": {
"properties": {
"type": {
"const": "rsa",
"enum": [
"rsa"
],
"title": "Type",
"type": "string"
},
"bits": {
"title": "Bits",
"type": "integer"
}
},
"required": [
"type"
],
"title": "RSAOptions",
"type": "object"
},
"Spec": {
"properties": {
"secretsEngineRef": {
"title": "Secretsengineref",
"type": "string"
},
"path": {
"title": "Path",
"type": "string"
},
"encoding": {
"default": "utf8",
"enum": [
"base64",
"utf8"
],
"title": "Encoding",
"type": "string"
},
"version": {
"minimum": 1,
"title": "Version",
"type": "integer"
},
"keyOptions": {
"discriminator": {
"mapping": {
"ec": "#/$defs/ECOptions",
"ed25519": "#/$defs/ED25519Options",
"rsa": "#/$defs/RSAOptions"
},
"propertyName": "type"
},
"oneOf": [
{
"$ref": "#/$defs/RSAOptions"
},
{
"$ref": "#/$defs/ECOptions"
},
{
"$ref": "#/$defs/ED25519Options"
}
],
"title": "Keyoptions"
},
"publicKey": {
"$ref": "#/$defs/PublicKey"
},
"privateKey": {
"$ref": "#/$defs/PrivateKey"
}
},
"required": [
"secretsEngineRef",
"path",
"version",
"keyOptions"
],
"title": "Spec",
"type": "object"
}
},
"additionalProperties": false,
"properties": {
"kind": {
"const": "SSHKey",
"default": "SSHKey",
"enum": [
"SSHKey"
],
"title": "Kind",
"type": "string"
},
"spec": {
"$ref": "#/$defs/Spec"
}
},
"required": [
"spec"
],
"title": "SSHKeyApplyDTO",
"type": "object"
}
Password Policies¶
A Password Policy provides declarative updates for Password Policies in Vault.
Creating a Password Policy¶
kind: PasswordPolicy
spec:
path: example
policy:
length: 128
rules:
- charset: "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
minChars: 1
- charset: "0123456789"
minChars: 1
- charset: "!@#$%^&*"
minChars: 1
In this example, we’re creating a Password Policy with the following properties:
The length is set to 128, which specifies the minimum length of the password.
The rules section defines a list of character set rules that must be met for a password to be valid.
The first rule requires at least one uppercase letter (
ABCDEFGHIJKLMNOPQRSTUVWXYZ).The second rule requires at least one digit (
0123456789).The third rule requires at least one special character (
!@#$%^&*).
Available keys¶
{
"$defs": {
"Spec": {
"properties": {
"secretsEngineRef": {
"title": "Secretsengineref",
"type": "string"
},
"path": {
"title": "Path",
"type": "string"
},
"encoding": {
"default": "utf8",
"enum": [
"base64",
"utf8"
],
"title": "Encoding",
"type": "string"
},
"version": {
"minimum": 1,
"title": "Version",
"type": "integer"
},
"secretKey": {
"title": "Secretkey",
"type": "string"
},
"policyRef": {
"title": "Policyref",
"type": "string"
}
},
"required": [
"secretsEngineRef",
"path",
"version",
"secretKey",
"policyRef"
],
"title": "Spec",
"type": "object"
}
},
"additionalProperties": false,
"properties": {
"kind": {
"const": "Password",
"default": "Password",
"enum": [
"Password"
],
"title": "Kind",
"type": "string"
},
"spec": {
"$ref": "#/$defs/Spec"
}
},
"required": [
"spec"
],
"title": "PasswordApplyDTO",
"type": "object"
}
Password¶
A Password provides declarative updates for secrets in Vault.
Creating a Password¶
kind: Password
spec:
path: my-secret
secretsEngineRef: kv
policyRef: example
secretKey: foo
version: 1
Warning
Keep in mind that updating your password policy won’t automatically update existing passwords. If you want to generate a new password that meets the updated policy, you’ll need to bump the version of the Password resource. For example:
kind: Password
spec:
path: my-secret
secretsEngineRef: kv
policyRef: example
secretKey: foo
# bump the version from 1 to 2 to trigger a new password generation
version: 2
That’s it!
Available keys¶
{
"$defs": {
"Spec": {
"properties": {
"secretsEngineRef": {
"title": "Secretsengineref",
"type": "string"
},
"path": {
"title": "Path",
"type": "string"
},
"encoding": {
"default": "utf8",
"enum": [
"base64",
"utf8"
],
"title": "Encoding",
"type": "string"
},
"version": {
"minimum": 1,
"title": "Version",
"type": "integer"
},
"secretKey": {
"title": "Secretkey",
"type": "string"
},
"policyRef": {
"title": "Policyref",
"type": "string"
}
},
"required": [
"secretsEngineRef",
"path",
"version",
"secretKey",
"policyRef"
],
"title": "Spec",
"type": "object"
}
},
"additionalProperties": false,
"properties": {
"kind": {
"const": "Password",
"default": "Password",
"enum": [
"Password"
],
"title": "Kind",
"type": "string"
},
"spec": {
"$ref": "#/$defs/Spec"
}
},
"required": [
"spec"
],
"title": "PasswordApplyDTO",
"type": "object"
}