Vault Agent configmap

name ( string: required) - Name of the configMap or secret to be mounted. This also controls the path that it is mounted to. The volume will be mounted to /vault/userconfig/<name> by default unless path is configured. path ( string: /vault/userconfigs) - Name of the path where a configMap or secret is mounted The annotations for configuring Vault Agent injection must be on the pod specification. Since higher level resources such as Deployments wrap pod specification templates, Vault Agent Injector can be used with all of these higher level constructs, too. An example Deployment below shows how to enable Vault Agent injection The sidecar container is running Vault, using the vault agent that accesses Vault using the configuration specified inside a configmap and writes a configuration file based on a pre configured template (written inside the same configmap) onto a temporary file system which your application can use

vault-agent.app-config and namespaces The APP_CONFIG_MAP variable defines a ConfigMap that may be present in each namespace to control which service's secrets are included. It must contain one key apps, which should be formatted as a YAML list: - app1 - app The Vault Agent Injector supports mounting ConfigMaps by specifying the name using the vault.hashicorp.com/agent-configmap annotation. The configuration files will be mounted to /vault/configs. The configuration map must contain either one or both of the following files: config-init.hcl used by the init container We already offer a way of mounting a configuration file via the vault.hashicorp.com/agent-configmap annotation. So what is really missing here, as far as I can see, is a way of mounting custom secrets that have approle role_id and secret_id

The template stanza configures the templating engine in the Vault agent for rendering secrets to files using Consul Template markup language. Multiple template stanzas can be defined to render multiple files. When the agent is started with templating enabled, it will attempt to acquire a Vault token using the configured Method In December 2019, HashiCorp announced availaility of their Vault Agent Injector to fulfill the same need we address with our injector: provide a transparent way to fetch static and dynamic secrets from Vault stores

The operating system's default browser opens and displays the dashboard. » Install the Vault Helm chart The recommended way to run Vault on Kubernetes is via the Helm chart. Helm is a package manager that installs and configures all the necessary components to run Vault in several different modes. A Helm chart includes templates that enable conditional and parameterized execution Supposing templates could be placed inside a config map along with vault agent config, vault-agent would render and place them on a shared volume like it does now. But then rendered configuration files could be mounted to the particular location inside the container using custom annotation for each of the template files Hm, which version of the webhook are you using? I just tried your annotations with a simple deployment with version 1.13.1 of the webhook, but it changed the image of the vault-agent to the one in the annotation. How did you deployed the webhook? With what settings Vault CRD for sharing Vault Secrets with Kubernetes. It injects & sync values from Vault to Kubernetes secret. You can use these secrets as environment variables inside pod. the flow goes something like : vault to Kubernetes secret > and that secrets get injected into deployment using YAML same as configmap These annotations define a partial structure of the deployment schema and are prefixed with vault.hashicorp.com.. agent-inject enables the Vault Agent injector service; role is the Vault Kubernetes authentication role; role is the Vault role created that maps back to the K8s service account; agent-inject-secret-FIlEPATH prefixes the path of the file, database-config.txt written to /vault/secrets

Authenticate Agent with Vault. Agent is compatible with properties Spinnaker uses for Storing Secrets in HashiCorp Vault under secrets.vault.* in its kubesvc.yaml configuration file. You can also refer to vault secrets with the same syntax as spinnake The Vault Agent authenticates to the Vault Server via the pod Service Account identity. Ceph configuration is updated via Kubernetes ConfigMap (see below) Vault k8s Auth Method is enabled and. Right now we are using configmap & secret to store environment variables data. Using configmap and Secrets adding an environment variable to container os and application get it from os. app.config ['test'] = os.environ.get ( test ) To use best practices we are planning to use vault from hashicrop. SO can i populate the config map Describe the bug: vault-env does not replace placeholders by values from Vault cluster if the first key in ConfigMap is set as multi-line scalar value. However, it does the desired if the first key is set as a simple scalar value

Flexible output formatting options using the Vault Agent template functionality which was incorporated from consul-template. For example, fetching secret data from Vault to creating a database connection string, or adapting your output to match pre-existing configuration file formats, etc This is the file controlling the patch that enables HashiCorp Vault to take control with an init container. The most important line is the reference to the configmap. It contains the vault configuration file config-init.hcl and the files referenced by it. config-init.hcl. auto_auth = { $ vault operator unseal Unseal Key (will be hidden): Key Value--- -----Seal Type shamir Initialized false Sealed false Total Shares 1 Threshold 1 Version 0.9.1 Cluster Name vault-cluster-6a21908f Cluster ID 713de97e-d905-495a-7138-f53f71d08d26 HA Enabled true HA Cluster https://vault-cluster-coreos.default.svc:8201 HA Mode active $ vault . As the platform team at Trendyol Tech, one of our goals was making application configuration and secret management dynamic, reliable, secure and be abstracted away from applications. We have bee

Configuration Vault by HashiCor

Here, we configured Vault to use the Consul backend (which supports high availability), defined the TCP listener for Vault, enabled TLS, added the paths to the TLS certificate and the private key, and enabled the Vault UI. Review the docs for more info on configuring Vault. Save this config in a ConfigMap The webhook injects vault-agent as an init container, based on the Kubernetes Auth role configuration prometheus-operator-prometheus. The vault-agent grabs a token with the policy of prometheus-operator-prometheus The Vault Helm chart can deploy only the Vault Agent Injector service configured to target an external Vault. The injector service enables the authentication and secret retrieval for the applications, by adding Vault Agent containers as they are written to the pod automatically it includes specific annotations The Vault Agent injector supports mounting ConfigMaps by specifying the name using the v ault.hashicorp.com/agent-configmap annotation. The configuration files will be mounted to /vault/configs...

Vault Agent Sidecar Injector Examples Vault by HashiCor

A ConfigMap is an API object used to store non-confidential data in key-value pairs. Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume. A ConfigMap allows you to decouple environment-specific configuration from your container images, so that your applications are easily portable. Caution: ConfigMap does not provide secrecy or. Secret and ConfigMap examples ︎. Secrets require their payload to be base64 encoded, the API rejects manifests with plaintext in them. The secret value should contain a base64 encoded template string referencing the vault path you want to insert This is the schema version used by the agent when parsing this ConfigMap. Currently supported schema-version is v1. Modifying this value is not supported and will be rejected when ConfigMap is evaluated. config-version: String: Supports ability to keep track of this config file's version in your source control system/repository ConfigMaps allow you to decouple configuration artifacts from image content to keep containerized applications portable. This page provides a series of usage examples demonstrating how to create ConfigMaps and configure Pods using data stored in ConfigMaps. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster This is a simple and portable configuration example that will work as-is in the majority of environments for learning purposes which require persisting data between restarts of the vault process.. NOTE: The above example disables TLS (tls_disable = true) for testing and learning.However, Vault should always be used with TLS in production to provide secure communication between clients and.

Using Vault Agent Templating in the mutating webhook

kubectl get pods vault-0 0/1 Running 0 4s vault-1 0/1 Running 0 4s vault-2 0/1 Running 0 4s vault-agent-injector-7bd76b66dd-8gjf4 1/1 Running 0 4s kubectl get service vault ClusterIP <none> 8200/TCP,8201/TCP 2m1s vault-active ClusterIP <none> 8200/TCP,8201/TCP 2m1s vault-agent-injector-svc ClusterIP lets start with the consul agent, we wanna make sure that vault is talking to the consul agent which is a part of the consul cluster will delete the file but you can not use configmap with. »Kubernetes Admission controllers. The Vault Helm chart can also optionally install the Vault Agent Sidecar Injector. The Vault Agent Sidecar Injector alters pod specifications to include Vault Agent containers that render Vault secrets to a shared memory volume using Vault Agent Templates. By rendering secrets to a shared volume, containers within the pod can consume Vault secrets without.

Let's look at the relevant portions of the Kubernetes manifest required to deploy a Spring Boot app with Vault Agent running as a sidecar. I'll assume that Vault is already configured with the Kubernetes Authentication backend. Manifest. First is a ConfigMap that contains the Vault Agent config To override Halyard's configuration, create a Kubernetes ConfigMap with the configuration changes you need. For example, if you're using secrets management with Vault(), Halyard and Operator containers need your Vault configuration Change to the directory k8s/oidc-vault/k8s containing the YAML files that describe the Kubernetes deployment and use the following command to apply the updated server ConfigMap, the ConfigMap for the OIDC Discovery Provider, and deploy the updated spire-server StatefulSet

-retry-interval - Time to wait between join attempts. Defaults to 30s.-retry-max - The maximum number of -join attempts to be made before exiting with return code 1. By default, this is set to 0 which is interpreted as infinite retries.-join-wan - Address of another wan agent to join upon starting up. This can be specified multiple times to specify multiple WAN agents to join Vault Agent Injector Sidecar. Another pattern that could be used with vault and pods on k8s is the sidecar injector option. Provides for an annotation-driven secret injection for your pods that could be a pretty handy way to decouple applications with secret management Run the following command to create a new key vault. Command. az keyvault create \ --name <your-key-vault> \ --resource-group <your-resource-group>. Run the following command to create a new secret in your key vault. Secrets are stored as a key value pair. In the example below, Password is the key and mysecretpassword is the value

GitHub - george-sre/vault-agent: vault-agent for managing

Note. The Vault agent Auto-Auth is configured to use the Kubernetes authentication method enabled at the auth/kubernetes path on the Vault server. The Vault Agent uses the cic-vault-example role to authenticate. The sink block specifies the location on disk where to write tokens. Vault Agent Auto-Auth sink can be configured multiple times if you want Vault Agent to place the token into. Keytabs stored in a safe place, I use vault and vault-agent-injector; Sidecar container that will manage the credentials; Shared KCM between server and pods sharing the KCM socket, avoiding other pods to have access to the stored TGTs; Krb5 stored as configmap in the namespac The Suggested Method. Hashicorp's suggested method for this conundrum is documented in detail here, and loosely involves: Installing a Vault agent in to each Kubernetes cluster. Creating a Service Account and configMap on each cluster for Vault. Configuring Authentication between Vault and each Cluster (based on the allowed authentication. Follow these steps to migrate accounts from Agent to Clouddriver: Delete the account definition from your Agent configuration. Depending on how you installed Agent, this configuration could be in the kubesvc.yml data section of a ConfigMap or in the kubesvc.yml file in the Agent pod. Add the account definition to the source that Clouddriver uses

2 Answers2. I. Within container specification set environmental variables (values in double quotes): Then refer to the values in envconsul.hcl. II. Another option is to unseal the vault cluster (with the unseal key which was printed while initializing the vault cluster) and then authenticate to the vault cluster using a root token But having 2 webhooks installed (vault-secrets-webhook for environment variables and vault-agent-injector for secrets in files) is seems an unnecessary complication/more overhead. created time in 16 hour Creating a ConfigMap using 'kubectl create configmap' is a straightforward operation. However, there is not a corresponding 'kubectl apply' that can easily update that ConfigMap. As an example, here are the commands for the creation of a simple ConfigMap using a file named ConfigMap-test1.yaml

Agent Sidecar Injector Overview Vault by HashiCor

The following is a guest blog post from Jürgen Weber, Bank-Vaults user and contributor extraordinaire. Here at hipages, we have a legacy approach to how we keep and maintain our 'secrets'. The details for some of our primary application resources are easy to obtain and with this carries great risk.. So to solve this we decided to embark on a 'secrets' project and implement. Introduction. This is the fourth post of the blog series on HashiCorp Vault.. The first post proposed a custom orchestration to more securely retrieve secrets stored in the Vault from a pod running in Red Hat OpenShift.. The second post improved upon that approach by using the native Kubernetes Auth Method that Vault provides.. The third post showed how the infrastructure can provide the Vault.

In Consul 1.9.0, we're introducing a new topological diagram that will help you visualize the connections in your service mesh. In the Consul UI, from the services page, navigate to a service. In this example, we'll use the app service. As long as you have connect enabled, you'll be able to see a Topology tab, which will show which. Initial Root Token: 95633ed2-***-***-***-faaded3c711e. Vault initialized with 1 key shares and a key threshold of 1. Please securely. distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 1 of these keys to unseal it The Armory Agent is compatible with Armory Enterprise and open source Spinnaker. It consists of a lightweight service that you deploy on Kubernetes and a plugin that you install into Spinnaker. Your Clouddriver service must use a MySQL-compatible database. See the Configure Clouddriver to use a SQL Database. guide for instructions

Support more granular Vault Agent and volume configs

Deploy 2 vault clusters. First cluster is named as vault, in source code folder vault. This cluster is for external service, so it has an Ingress rule. Follow the steps described here, or similar as below. Second cluster is named as vault-unlock, in source code folder vault2. This cluster is dedicated to auto-unseal purpose In the Create Server Configmap step: set the the cluster name in the k8s_sat NodeAttestor entry to the name you provide in the agent-configmap.yaml configuration file. If your Kubernetes cluster supports projected service account tokens, consider using the built-in Projected Service Account Token k8s Node Attestor for authenticating the SPIRE. Note how a query string is used to retrieve the private/public keys from the Azure Key Vault secret. That's it! The content of the secret in Azure Key Vault will now be injected into the application through the environment variables MY_PUBLIC_KEY and MY_PRIVATE_KEY.. The really cool thing about this solution is that Kubernetes (and its users) can only see the placeholder for the secret.

Kubernetes Vault. Vault is a tool for managing sensitive data like passwords, access keys, and certificates. Vault allows us to decouple secrets from applications. Vault has built-in support for Kubernetes and can use Kubernetes APIs to verify the identity of an application. This page gather resources about Kubernetes Vault and how to use it Vault comes up and runs, but I think the servers fail to see each other. They are all dumping errors like this to the logs # The tcp port squid is listening on http_port 3128 # Please specify subnet with instana agents acl instana_agent_net src # This is the ip of the instana backend acl instana_backend dstdomain saas-eu-west-1.instana.io #acl instana_backend dstdomain ec2-54-144-114-141.compute-1.amazonaws.com #acl instana_backend dstdomain saas-us-east-1.instana.io #acl instana_backend dstdomain saas. Why Vault and Kubernetes is the perfect couple 7 minute read The (not so) secret flaws of Kubernetes Secrets. When you're starting learning and using Kubernetes for the first time you discover that there is this special object called Secret that is designed for storing various kinds of confidential data. However, when you find out it is very similar to ConfigMap object and is not encrypted.

Vault Agent Template Vault by HashiCor

vault { address = ${VAULT_ADDR} renew_token = false retry { backoff = 1s} token = ${VAULT_TOKEN}} II. Another option is to unseal the vault cluster (with the unseal key which was printed while initializing the vault cluster) $ vault operator unseal. and then authenticate to the vault cluster using a root token. $ vault <your-generated. Here, we configured Vault to use the Consul backend (which supports high availability), defined the TCP listener for Vault, enabled TLS, added the paths to the TLS certificate and the private key, and enabled the Vault UI. Save this config in a ConfigMap, configmap/vault

NAME READY STATUS RESTARTS AGE pod/client-7446fdf848-x96fq 1/1 Running 0 79s pod/server-7c8fd58db5-rchg8 1/1 Running 0 77s pod/server-7c8fd58db5-sd4f9 1/1 Running 0 77s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/server ClusterIP <none> 80/TCP 77s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/client 1/1 1 1 79s deployment.apps/server 2/2 2 2 77s NAME DESIRED CURRENT. Vault initialized with 1 key shares and a key threshold of 1. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 1 of these keys to unseal it before it can start servicing requests. Vault does not store the generated master key


Enabling a Secrets Engine. Here is an example to enable a new Secrets Engine under the customPath path: vault secrets enable -path=customPath -version=2 kv. In order to enable mTLS between the Traefik Enterprise controllers and the Distributed ACME Agent, you must provide certificates in the configuration of the agent The secret handler to use, choices: base64, vault, conjur: base64: LOGLEVEL: The loglevel for the agent, Choices: DEBUG, INFO, ERROR, WARN: INFO: STACKL_CLI_IMAGE: The image used for sending outputs back to stackl: stacklio/stackl-cli: MAX_JOBS: The maximum amount of jobs that can be run in parallel: 10: JOB_TIMEOUT: Time until a job times out Here, spec.monitor specifies that built-in prometheus is used to monitor this Vault server instance.; monitor.prometheus specifies the information for monitoring by Prometheus.. prometheus.port indicates the port for Vault statsd exporter endpoint (default is 56790); prometheus.interval indicates the scraping interval (eg, '10s'); Run the following command to create it Vault operator will configure its service once the Vault server is successfully running. $ kubectl get vs -n demo NAME NODES VERSION STATUS AGE example 1 0.11.1 Running 3 ├── ip-masq-agent-jtjxz ├── kube-dns-autoscaler-bb58c6784-j9n4h ├── kube-proxy-gke-staging-default-pool-acca72c6-kls

Injecting Secrets into Kubernetes Pods via Vault Agent

Observe Consul Service Mesh Traffic with Prometheus. 8 min; Products Used; This tutorial also appears in: Observability. In this tutorial, you will configure Consul service mesh to install a pre-configured instance of Prometheus suitable for development and evaluation purposes.. Consul service mesh on Kubernetes provides a deep integration with Prometheus, and even includes a built-in starter. »Consul DNS on Kubernetes. One of the primary query interfaces to Consul is the DNS interface.You can configure Consul DNS in Kubernetes using a stub-domain configuration if using KubeDNS or a proxy configuration if using CoreDNS. Once configured, DNS requests in the form <consul-service-name>.service.consul will resolve for services in Consul. This will work from all Kubernetes namespaces Step 2: Create Agent Configmap. Apply the agent-configmap.yaml configuration file to create the agent configmap. This is mounted as the agent.conf file that determines the SPIRE Agent's configuration. $ kubectl apply -f agent-configmap.yaml. The agent-configmap.yaml file specifies a number of important directories, notably /run/spire/sockets.

Add support for adding templates from a ConfigMap and

  1. The Vault Agent runs on the client side to automate leases and tokens lifecycle management: Credit - Vault Agent. In this post, we are going to run the Vault Agent on the same machine as where the Vault server is running. However, the basic working is the same except the host machine address. Let's setup the auth method on the Vault server
  2. Below is the nsx-node-agent-config ConfigMap from ncp-ubuntu-policy.yaml. apiVersion: v1 kind: ConfigMap metadata: name: nsx-node-agent-config namespace: nsx-system labels: version: v1 data: ncp.ini: | [DEFAULT] # If set to true, the logging level will be set to DEBUG instead of the # default INFO level
  3. The Vault Agent Injector is a mutating admission web hook. What this means is that there is some piece of software running in Kubernetes, and Kubernetes sends events to it and the web hook can look at those events and make decisions or change things. In our case, what we're going to be doing is injecting Vault Agent containers into Pods
  4. The mazda furai growls threateningly on the runway. Get all info about 2019 mazda furai here now. Mazda furai race car le man concept racin..
  5. Vault agent confi
  6. Vault agent config Vault agent confi
  7. 1, Basic concepts of Vault. First, take a look at the architecture of Vault. It can be seen that almost all components belong to the security barrier, Vault can be simply divided into three parts: Storage Backend, security barrier and HTTP API. Security barrier is the encrypted steel and concrete around the Vault

How to override vault-agent image

kubernetes - How to inject vault and consume hashicorp

How to setup Vault with Kubernetes - DeepSourc

Once the agent pods come-up, refresh the OES agent screen to check that the agent shows a green dot status Go to Integrations and Cloud Accounts pages to see the accounts configured in the agent-services configMap listed along with local accounts This page provides an overview of init containers: specialized containers that run before app containers in a Pod. Init containers can contain utilities or setup scripts not present in an app image. You can specify init containers in the Pod specification alongside the containers array (which describes app containers). Understanding init containers A Pod can have multiple containers running. Vault pod going to crashLoopBackOff state on restarting. We have configured vault to run as a pod in the cluster. In the below deployment YAML file, we have included the vault initialisation and unsealing to happen when the pod comes up initially. But when the pod gets restarted, the pod is going to crashLoopBackOff state because the vault is. 4. Configuration, Secrets, and RBAC - Kubernetes Best Practices [Book] Chapter 4. Configuration, Secrets, and RBAC. The composable nature of containers allows us as operators to introduce configuration data into a container at runtime. This makes it possible for us to decouple an application's function from the environment it runs in Ada banyak contoh penggunaan ConfigMap, beberapa diantaranya: 1. Konfigurasi Database 2. Secret (Vault) 3. Environment variable. Sebagai contoh pembelajaran, kita akan mengganti konfigurasi nginx yang berada di /etc/nginx/nginx.conf dengan configMap yang kita buat Buat file nginx-configmap.yam

Vert.x Config. Vert.x Config provides a way to configure your Vert.x application. It: offers multiple configuration syntaxes (JSON, properties, Yaml (extension), Hocon (extension). offers multiple configuration stores such as files, directories, HTTP, git (extension), Redis (extension), system properties and environment properties Kyverno, furthering of its ability to function as a Swiss Army knife, has a unique ability to generate resources (even custom ones!). That same ability also extends to the copy functionality. So by using Kyverno, we can copy our regcred Secret from a source Namespace to any N number of destination Namespaces Create Server Service. Create the server service by applying the server-service.yaml configuration file: $ kubectl apply -f server-service.yaml Verify that the spire namespace now has a spire-server service in the spire namespace: $ kubectl get services --namespace spire NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE spire-server NodePort <none> 8081:30337/TCP 88 The same with the secrets, a configmap must already be in our cluster so that our mongo-express can use it as a reference. mongo-configmap.yaml: apiVersion: v1 kind: ConfigMap metadata: Hashicorp Vault HashiCorp Vault Agent HashiCorp Vault and Consul on AWS with Terraform Ansible with Terraform AWS IAM user, group, role, and policies - part Detailed information on configuration options. IstioOperator Options. Configuration affecting Istio control plane installation version and shape

TL;DR: Securing your app with Istio, SSO, Vault. Step-by-step without coding! Assembling security aspects using cloud native patterns. Today, securing your apps is a must have but it's difficult to introduce it without modifying code if you didn't think about it at the very beginning Istio can be installed in two different ways. istioctl command: Providing the full configuration in an IstioOperator CR is considered an Istio best practice for production environments.. Istio operator: One needs to consider security implications when using the operator pattern in Kubernetes.With the istioctl install command, the operation will run in the admin user's security context.

Create a Key Vault. Next we will create a Key Vault in the resource group created in the previous step. For this, we can use below PowerShell command (Azure CLI disappointed again): New-AzureRmKeyVault -Name app-KeyVault -ResourceGroupName appSecrets-rg -Location eastus. The output of this command will show the properties of the newly created. Provide the metallb-configmap.yaml from step 2 and select CREATE. Click on + New Version. Enter v1.0 for the Version Name and UPLOAD the k8s Yaml File created in step 2. Select Save Changes. Select Addons and Create a new Addon called metallb-secret by selecting the + New Add-On button. Ensure that you select k8s YAML for. Puppet agent post install tasks - configure agent, hostnames, and sign request EC2 Puppet master/agent basic tasks - main manifest with a file resource/module and immediate execution on an agent node Setting up puppet master and agent with simple scripts on EC2 / remote install from desktop EC2 Puppet - Install lamp with a manifest ('puppet apply' Vault Provider Traefik Proxy Providers HTTPS & TLS HTTPS & TLS Traefik Enterprise Store Let's Encrypt Multi-Cluster Let's Encrypt Vault Certificate Resolver TLS Options Middlewares Middlewares LDAP Authentication JWT Authentication OAuth 2.0 Token Introspection Authentication Open Policy Agent

Update: Logging operator v3 (released March, 2020) We're constantly improving the logging-operator based on feature requests of our ops team and our customers. The main features of version 3.0 are: Log routing based on namespaces Excluding logs Select (or exclude) logs based on hosts and container names Logging operator documentation is now available on the Banzai Cloud site. Check The. kubectl create configmap ip-masq-agent --from-file config.yaml --namespace kube-system elasticsearch fedora Fedora CoreOS foreman GCP Gitlab gitops GKE GNS3 Google Cloud Platform grafana Graylog gVisor HA Harbor HashiCorp Vault helm-controller helm2 helm3 HP httpd icinga ILO Influxdb ipmitool jitsi K0S K3S K8S Kafka katello Keycloak kube. xds.agent.enterprise.mesh.gloo.solo.io.XdsConfigSpec TODO(ilackarms): add more types here. note that we may need to support non-proto resourecs here in the future, in which case we will probably use a proto Struct to represent the object