OAS Update

stackit-pipeline · stackit-pipeline · commit ac79f47615f5 · 2025-07-31T15:16:16.000Z
diff --git a/services/iaas/v1/iaas.json b/services/iaas/v1/iaas.json
@@ -1754,6 +1754,17 @@
           "description": {
             "$ref": "#/components/schemas/Description"
           },
+          "encrypted": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/VolumeEncryption"
+              }
+            ],
+            "readOnly": true
+          },
+          "encryptionParameters": {
+            "$ref": "#/components/schemas/VolumeEncryptionParameter"
+          },
           "id": {
             "allOf": [
               {
@@ -2320,6 +2331,18 @@
         "pattern": "^[A-Za-z0-9@._-]*$",
         "type": "string"
       },
+      "KeyPayload": {
+        "description": "base64 encoded secret.",
+        "example": "VGhpcy1pcy1hLXNlY3JldCE=",
+        "format": "byte",
+        "type": "string"
+      },
+      "KeyVersion": {
+        "description": "Version of a key within the STACKIT-KMS.",
+        "example": 1,
+        "format": "int64",
+        "type": "integer"
+      },
       "Keypair": {
         "description": "Object that represents the public key of an SSH keypair and its name.",
         "properties": {
@@ -4447,6 +4470,17 @@
           "description": {
             "$ref": "#/components/schemas/Description"
           },
+          "encrypted": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/VolumeEncryption"
+              }
+            ],
+            "readOnly": true
+          },
+          "encryptionParameters": {
+            "$ref": "#/components/schemas/VolumeEncryptionParameter"
+          },
           "id": {
             "allOf": [
               {
@@ -4557,6 +4591,71 @@
         "example": true,
         "type": "boolean"
       },
+      "VolumeEncryption": {
+        "description": "Indicates if a volume is encrypted.",
+        "example": false,
+        "type": "boolean"
+      },
+      "VolumeEncryptionParameter": {
+        "description": "Parameter to connect to a key-encryption-key within the STACKIT-KMS to create encrypted volumes. If no key_payload is set, a random passphrase is generated, which will be encrypted against the STACKIT-KMS. These parameter never leave the backend again. So these parameters are not in the responses.",
+        "properties": {
+          "kekKeyId": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/UUID"
+              }
+            ],
+            "description": "UUID of the Key within the STACKIT-KMS to use for the encryption."
+          },
+          "kekKeyVersion": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/KeyVersion"
+              }
+            ],
+            "description": "Version of the key within the STACKIT-KMS to use for the encryption."
+          },
+          "kekKeyringId": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/UUID"
+              }
+            ],
+            "description": "UUID of the keyring where the key is located within the STACKTI-KMS."
+          },
+          "kekProjectId": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/UUID"
+              }
+            ],
+            "description": "Id of the project, where the key in the STACKIT-KMS belongs to, in case the key is located in a different project. By default the same project ID is used, like for the volume itself. Defining a key in a different project is only allowed for privileged internal projects."
+          },
+          "keyPayload": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/KeyPayload"
+              }
+            ],
+            "description": "Optional predefined secret, which will be encrypted against the key-encryption-key within the STACKIT-KMS. If not defined, a random secret will be generated by the API and encrypted against the STACKIT-KMS. If a key-payload is provided here, it must be base64 encoded."
+          },
+          "serviceAccount": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/ServiceAccountMail"
+              }
+            ],
+            "description": "Service-Account linked to the Key within the STACKIT-KMS."
+          }
+        },
+        "required": [
+          "serviceAccount",
+          "kekKeyringId",
+          "kekKeyId",
+          "kekKeyVersion"
+        ],
+        "type": "object"
+      },
       "VolumeList": {
         "description": "A list containing volume objects.",
         "items": {
diff --git a/services/iaas/v1alpha1/iaas.json b/services/iaas/v1alpha1/iaas.json
@@ -1765,6 +1765,17 @@
           "description": {
             "$ref": "#/components/schemas/Description"
           },
+          "encrypted": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/VolumeEncryption"
+              }
+            ],
+            "readOnly": true
+          },
+          "encryptionParameters": {
+            "$ref": "#/components/schemas/VolumeEncryptionParameter"
+          },
           "id": {
             "allOf": [
               {
@@ -2331,6 +2342,18 @@
         "pattern": "^[A-Za-z0-9@._-]*$",
         "type": "string"
       },
+      "KeyPayload": {
+        "description": "base64 encoded secret.",
+        "example": "VGhpcy1pcy1hLXNlY3JldCE=",
+        "format": "byte",
+        "type": "string"
+      },
+      "KeyVersion": {
+        "description": "Version of a key within the STACKIT-KMS.",
+        "example": 1,
+        "format": "int64",
+        "type": "integer"
+      },
       "Keypair": {
         "description": "Object that represents the public key of an SSH keypair and its name.",
         "properties": {
@@ -4515,6 +4538,17 @@
           "description": {
             "$ref": "#/components/schemas/Description"
           },
+          "encrypted": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/VolumeEncryption"
+              }
+            ],
+            "readOnly": true
+          },
+          "encryptionParameters": {
+            "$ref": "#/components/schemas/VolumeEncryptionParameter"
+          },
           "id": {
             "allOf": [
               {
@@ -4625,6 +4659,71 @@
         "example": true,
         "type": "boolean"
       },
+      "VolumeEncryption": {
+        "description": "Indicates if a volume is encrypted.",
+        "example": false,
+        "type": "boolean"
+      },
+      "VolumeEncryptionParameter": {
+        "description": "Parameter to connect to a key-encryption-key within the STACKIT-KMS to create encrypted volumes. If no key_payload is set, a random passphrase is generated, which will be encrypted against the STACKIT-KMS. These parameter never leave the backend again. So these parameters are not in the responses.",
+        "properties": {
+          "kekKeyId": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/UUID"
+              }
+            ],
+            "description": "UUID of the Key within the STACKIT-KMS to use for the encryption."
+          },
+          "kekKeyVersion": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/KeyVersion"
+              }
+            ],
+            "description": "Version of the key within the STACKIT-KMS to use for the encryption."
+          },
+          "kekKeyringId": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/UUID"
+              }
+            ],
+            "description": "UUID of the keyring where the key is located within the STACKTI-KMS."
+          },
+          "kekProjectId": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/UUID"
+              }
+            ],
+            "description": "Id of the project, where the key in the STACKIT-KMS belongs to, in case the key is located in a different project. By default the same project ID is used, like for the volume itself. Defining a key in a different project is only allowed for privileged internal projects."
+          },
+          "keyPayload": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/KeyPayload"
+              }
+            ],
+            "description": "Optional predefined secret, which will be encrypted against the key-encryption-key within the STACKIT-KMS. If not defined, a random secret will be generated by the API and encrypted against the STACKIT-KMS. If a key-payload is provided here, it must be base64 encoded."
+          },
+          "serviceAccount": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/ServiceAccountMail"
+              }
+            ],
+            "description": "Service-Account linked to the Key within the STACKIT-KMS."
+          }
+        },
+        "required": [
+          "serviceAccount",
+          "kekKeyringId",
+          "kekKeyId",
+          "kekKeyVersion"
+        ],
+        "type": "object"
+      },
       "VolumeList": {
         "description": "A list containing volume objects.",
         "items": {
diff --git a/services/iaas/v1beta1/iaas.json b/services/iaas/v1beta1/iaas.json
@@ -1754,6 +1754,17 @@
           "description": {
             "$ref": "#/components/schemas/Description"
           },
+          "encrypted": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/VolumeEncryption"
+              }
+            ],
+            "readOnly": true
+          },
+          "encryptionParameters": {
+            "$ref": "#/components/schemas/VolumeEncryptionParameter"
+          },
           "id": {
             "allOf": [
               {
@@ -2320,6 +2331,18 @@
         "pattern": "^[A-Za-z0-9@._-]*$",
         "type": "string"
       },
+      "KeyPayload": {
+        "description": "base64 encoded secret.",
+        "example": "VGhpcy1pcy1hLXNlY3JldCE=",
+        "format": "byte",
+        "type": "string"
+      },
+      "KeyVersion": {
+        "description": "Version of a key within the STACKIT-KMS.",
+        "example": 1,
+        "format": "int64",
+        "type": "integer"
+      },
       "Keypair": {
         "description": "Object that represents the public key of an SSH keypair and its name.",
         "properties": {
@@ -4447,6 +4470,17 @@
           "description": {
             "$ref": "#/components/schemas/Description"
           },
+          "encrypted": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/VolumeEncryption"
+              }
+            ],
+            "readOnly": true
+          },
+          "encryptionParameters": {
+            "$ref": "#/components/schemas/VolumeEncryptionParameter"
+          },
           "id": {
             "allOf": [
               {
@@ -4557,6 +4591,71 @@
         "example": true,
         "type": "boolean"
       },
+      "VolumeEncryption": {
+        "description": "Indicates if a volume is encrypted.",
+        "example": false,
+        "type": "boolean"
+      },
+      "VolumeEncryptionParameter": {
+        "description": "Parameter to connect to a key-encryption-key within the STACKIT-KMS to create encrypted volumes. If no key_payload is set, a random passphrase is generated, which will be encrypted against the STACKIT-KMS. These parameter never leave the backend again. So these parameters are not in the responses.",
+        "properties": {
+          "kekKeyId": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/UUID"
+              }
+            ],
+            "description": "UUID of the Key within the STACKIT-KMS to use for the encryption."
+          },
+          "kekKeyVersion": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/KeyVersion"
+              }
+            ],
+            "description": "Version of the key within the STACKIT-KMS to use for the encryption."
+          },
+          "kekKeyringId": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/UUID"
+              }
+            ],
+            "description": "UUID of the keyring where the key is located within the STACKTI-KMS."
+          },
+          "kekProjectId": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/UUID"
+              }
+            ],
+            "description": "Id of the project, where the key in the STACKIT-KMS belongs to, in case the key is located in a different project. By default the same project ID is used, like for the volume itself. Defining a key in a different project is only allowed for privileged internal projects."
+          },
+          "keyPayload": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/KeyPayload"
+              }
+            ],
+            "description": "Optional predefined secret, which will be encrypted against the key-encryption-key within the STACKIT-KMS. If not defined, a random secret will be generated by the API and encrypted against the STACKIT-KMS. If a key-payload is provided here, it must be base64 encoded."
+          },
+          "serviceAccount": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/ServiceAccountMail"
+              }
+            ],
+            "description": "Service-Account linked to the Key within the STACKIT-KMS."
+          }
+        },
+        "required": [
+          "serviceAccount",
+          "kekKeyringId",
+          "kekKeyId",
+          "kekKeyVersion"
+        ],
+        "type": "object"
+      },
       "VolumeList": {
         "description": "A list containing volume objects.",
         "items": {
