dc-tec
diff --git a/‎api/v1alpha1/openbaocluster_types.go‎
Lines changed: 17 additions & 3 deletions b/‎api/v1alpha1/openbaocluster_types.go‎
Lines changed: 17 additions & 3 deletions
diff --git a/‎charts/openbao-operator/crds/openbao.org_openbaoclusters.yaml‎
Lines changed: 34 additions & 4 deletions b/‎charts/openbao-operator/crds/openbao.org_openbaoclusters.yaml‎
Lines changed: 34 additions & 4 deletions
diff --git a/‎config/crd/bases/openbao.org_openbaoclusters.yaml‎
Lines changed: 34 additions & 4 deletions b/‎config/crd/bases/openbao.org_openbaoclusters.yaml‎
Lines changed: 34 additions & 4 deletions
diff --git a/‎docs/reference/api.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/reference/api.md‎
Lines changed: 2 additions & 2 deletions
@@ -1050,6 +1050,12 @@ type SelfInitRequest struct {
 // SelfInitAuditDevice provides structured configuration for enabling audit devices
 // via self-init requests. This replaces the need for raw JSON in the Data field.
 // See: https://openbao.org/api-docs/system/audit/
+// +kubebuilder:validation:XValidation:rule="self.type == 'file' || !has(self.fileOptions)",message="fileOptions is only supported when type is file"
+// +kubebuilder:validation:XValidation:rule="self.type != 'file' || has(self.fileOptions)",message="fileOptions is required when type is file"
+// +kubebuilder:validation:XValidation:rule="self.type == 'http' || !has(self.httpOptions)",message="httpOptions is only supported when type is http"
+// +kubebuilder:validation:XValidation:rule="self.type != 'http' || has(self.httpOptions)",message="httpOptions is required when type is http"
+// +kubebuilder:validation:XValidation:rule="self.type == 'syslog' || !has(self.syslogOptions)",message="syslogOptions is only supported when type is syslog"
+// +kubebuilder:validation:XValidation:rule="self.type == 'socket' || !has(self.socketOptions)",message="socketOptions is only supported when type is socket"
 type SelfInitAuditDevice struct {
 	// Type is the type of audit device (e.g., "file", "syslog", "socket", "http").
 	// +kubebuilder:validation:Enum=file;syslog;socket;http
@@ -2006,6 +2012,8 @@ type OpenBaoClusterSpec struct {
 	// Audit configures declarative audit devices for the OpenBao cluster.
 	// See: https://openbao.org/docs/configuration/audit/
 	// +optional
+	// +listType=map
+	// +listMapKey=path
 	Audit []AuditDevice `json:"audit,omitempty"`
 	// Plugins configures declarative plugins for the OpenBao cluster.
 	// See: https://openbao.org/docs/configuration/plugins/
@@ -2481,6 +2489,10 @@ type OpenBaoClusterList struct {
 
 // AuditDevice defines a declarative audit device configuration.
 // See: https://openbao.org/docs/configuration/audit/
+// +kubebuilder:validation:XValidation:rule="self.type == 'file' || !has(self.fileOptions)",message="fileOptions is only supported when type is file"
+// +kubebuilder:validation:XValidation:rule="self.type == 'http' || !has(self.httpOptions)",message="httpOptions is only supported when type is http"
+// +kubebuilder:validation:XValidation:rule="self.type == 'syslog' || !has(self.syslogOptions)",message="syslogOptions is only supported when type is syslog"
+// +kubebuilder:validation:XValidation:rule="self.type == 'socket' || !has(self.socketOptions)",message="socketOptions is only supported when type is socket"
 type AuditDevice struct {
 	// Type is the type of audit device (e.g., "file", "syslog", "socket", "http").
 	// +kubebuilder:validation:Enum=file;syslog;socket;http
@@ -2508,10 +2520,11 @@ type AuditDevice struct {
 	// Only used when Type is "socket".
 	// +optional
 	SocketOptions *SocketAuditOptions `json:"socketOptions,omitempty"`
-	// Options contains device-specific configuration options as a map.
+	// Options contains device-specific configuration options as a string map.
 	// This is a fallback for backward compatibility and advanced use cases.
 	// If structured options (FileOptions, HTTPOptions, etc.) are provided, they take precedence.
-	// The structure depends on the audit device type.
+	// OpenBao audit options are string-to-string; scalar JSON values are rendered as strings,
+	// while nested objects and arrays are rejected. For HTTP headers, prefer httpOptions.headers.
 	// +optional
 	Options *apiextensionsv1.JSON `json:"options,omitempty"`
 }
@@ -2537,7 +2550,8 @@ type HTTPAuditOptions struct {
 	URI string `json:"uri"`
 	// Headers is a JSON object describing headers. Must take the shape map[string][]string,
 	// i.e., an object of headers, with each having one or more values.
-	// Headers without values will be ignored.
+	// Headers without values will be ignored. The operator renders this object as OpenBao's
+	// expected JSON-encoded options.headers string.
 	// +optional
 	Headers *apiextensionsv1.JSON `json:"headers,omitempty"`
 }
 
@@ -97,7 +97,8 @@ spec:
                           description: |-
                             Headers is a JSON object describing headers. Must take the shape map[string][]string,
                             i.e., an object of headers, with each having one or more values.
-                            Headers without values will be ignored.
+                            Headers without values will be ignored. The operator renders this object as OpenBao's
+                            expected JSON-encoded options.headers string.
                           x-kubernetes-preserve-unknown-fields: true
                         uri:
                           description: URI is the URI of the remote server where the
@@ -109,10 +110,11 @@ spec:
                       type: object
                     options:
                       description: |-
-                        Options contains device-specific configuration options as a map.
+                        Options contains device-specific configuration options as a string map.
                         This is a fallback for backward compatibility and advanced use cases.
                         If structured options (FileOptions, HTTPOptions, etc.) are provided, they take precedence.
-                        The structure depends on the audit device type.
+                        OpenBao audit options are string-to-string; scalar JSON values are rendered as strings,
+                        while nested objects and arrays are rejected. For HTTP headers, prefer httpOptions.headers.
                       x-kubernetes-preserve-unknown-fields: true
                     path:
                       description: Path is the path of the audit device in the root
@@ -171,7 +173,19 @@ spec:
                   - path
                   - type
                   type: object
+                  x-kubernetes-validations:
+                  - message: fileOptions is only supported when type is file
+                    rule: self.type == 'file' || !has(self.fileOptions)
+                  - message: httpOptions is only supported when type is http
+                    rule: self.type == 'http' || !has(self.httpOptions)
+                  - message: syslogOptions is only supported when type is syslog
+                    rule: self.type == 'syslog' || !has(self.syslogOptions)
+                  - message: socketOptions is only supported when type is socket
+                    rule: self.type == 'socket' || !has(self.socketOptions)
                 type: array
+                x-kubernetes-list-map-keys:
+                - path
+                x-kubernetes-list-type: map
               backup:
                 description: Backup configures scheduled backups for the cluster.
                 properties:
@@ -3428,7 +3442,8 @@ spec:
                                   description: |-
                                     Headers is a JSON object describing headers. Must take the shape map[string][]string,
                                     i.e., an object of headers, with each having one or more values.
-                                    Headers without values will be ignored.
+                                    Headers without values will be ignored. The operator renders this object as OpenBao's
+                                    expected JSON-encoded options.headers string.
                                   x-kubernetes-preserve-unknown-fields: true
                                 uri:
                                   description: URI is the URI of the remote server
@@ -3489,6 +3504,21 @@ spec:
                           required:
                           - type
                           type: object
+                          x-kubernetes-validations:
+                          - message: fileOptions is only supported when type is file
+                            rule: self.type == 'file' || !has(self.fileOptions)
+                          - message: fileOptions is required when type is file
+                            rule: self.type != 'file' || has(self.fileOptions)
+                          - message: httpOptions is only supported when type is http
+                            rule: self.type == 'http' || !has(self.httpOptions)
+                          - message: httpOptions is required when type is http
+                            rule: self.type != 'http' || has(self.httpOptions)
+                          - message: syslogOptions is only supported when type is
+                              syslog
+                            rule: self.type == 'syslog' || !has(self.syslogOptions)
+                          - message: socketOptions is only supported when type is
+                              socket
+                            rule: self.type == 'socket' || !has(self.socketOptions)
                         authMethod:
                           description: |-
                             AuthMethod configures an auth method when Path starts with "sys/auth/".
 
@@ -96,7 +96,8 @@ spec:
                           description: |-
                             Headers is a JSON object describing headers. Must take the shape map[string][]string,
                             i.e., an object of headers, with each having one or more values.
-                            Headers without values will be ignored.
+                            Headers without values will be ignored. The operator renders this object as OpenBao's
+                            expected JSON-encoded options.headers string.
                           x-kubernetes-preserve-unknown-fields: true
                         uri:
                           description: URI is the URI of the remote server where the
@@ -108,10 +109,11 @@ spec:
                       type: object
                     options:
                       description: |-
-                        Options contains device-specific configuration options as a map.
+                        Options contains device-specific configuration options as a string map.
                         This is a fallback for backward compatibility and advanced use cases.
                         If structured options (FileOptions, HTTPOptions, etc.) are provided, they take precedence.
-                        The structure depends on the audit device type.
+                        OpenBao audit options are string-to-string; scalar JSON values are rendered as strings,
+                        while nested objects and arrays are rejected. For HTTP headers, prefer httpOptions.headers.
                       x-kubernetes-preserve-unknown-fields: true
                     path:
                       description: Path is the path of the audit device in the root
@@ -170,7 +172,19 @@ spec:
                   - path
                   - type
                   type: object
+                  x-kubernetes-validations:
+                  - message: fileOptions is only supported when type is file
+                    rule: self.type == 'file' || !has(self.fileOptions)
+                  - message: httpOptions is only supported when type is http
+                    rule: self.type == 'http' || !has(self.httpOptions)
+                  - message: syslogOptions is only supported when type is syslog
+                    rule: self.type == 'syslog' || !has(self.syslogOptions)
+                  - message: socketOptions is only supported when type is socket
+                    rule: self.type == 'socket' || !has(self.socketOptions)
                 type: array
+                x-kubernetes-list-map-keys:
+                - path
+                x-kubernetes-list-type: map
               backup:
                 description: Backup configures scheduled backups for the cluster.
                 properties:
@@ -3427,7 +3441,8 @@ spec:
                                   description: |-
                                     Headers is a JSON object describing headers. Must take the shape map[string][]string,
                                     i.e., an object of headers, with each having one or more values.
-                                    Headers without values will be ignored.
+                                    Headers without values will be ignored. The operator renders this object as OpenBao's
+                                    expected JSON-encoded options.headers string.
                                   x-kubernetes-preserve-unknown-fields: true
                                 uri:
                                   description: URI is the URI of the remote server
@@ -3488,6 +3503,21 @@ spec:
                           required:
                           - type
                           type: object
+                          x-kubernetes-validations:
+                          - message: fileOptions is only supported when type is file
+                            rule: self.type == 'file' || !has(self.fileOptions)
+                          - message: fileOptions is required when type is file
+                            rule: self.type != 'file' || has(self.fileOptions)
+                          - message: httpOptions is only supported when type is http
+                            rule: self.type == 'http' || !has(self.httpOptions)
+                          - message: httpOptions is required when type is http
+                            rule: self.type != 'http' || has(self.httpOptions)
+                          - message: syslogOptions is only supported when type is
+                              syslog
+                            rule: self.type == 'syslog' || !has(self.syslogOptions)
+                          - message: socketOptions is only supported when type is
+                              socket
+                            rule: self.type == 'socket' || !has(self.socketOptions)
                         authMethod:
                           description: |-
                             AuthMethod configures an auth method when Path starts with "sys/auth/".
 
@@ -160,7 +160,7 @@ _Appears in:_
 | `httpOptions` _[HTTPAuditOptions](#httpauditoptions)_ | HTTPOptions configures options for HTTP audit devices.<br />Only used when Type is "http". |  | Optional: \{\} <br /> |
 | `syslogOptions` _[SyslogAuditOptions](#syslogauditoptions)_ | SyslogOptions configures options for syslog audit devices.<br />Only used when Type is "syslog". |  | Optional: \{\} <br /> |
 | `socketOptions` _[SocketAuditOptions](#socketauditoptions)_ | SocketOptions configures options for socket audit devices.<br />Only used when Type is "socket". |  | Optional: \{\} <br /> |
-| `options` _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#json-v1-apiextensions-k8s-io)_ | Options contains device-specific configuration options as a map.<br />This is a fallback for backward compatibility and advanced use cases.<br />If structured options (FileOptions, HTTPOptions, etc.) are provided, they take precedence.<br />The structure depends on the audit device type. |  | Optional: \{\} <br /> |
+| `options` _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#json-v1-apiextensions-k8s-io)_ | Options contains device-specific configuration options as a string map.<br />This is a fallback for backward compatibility and advanced use cases.<br />If structured options (FileOptions, HTTPOptions, etc.) are provided, they take precedence.<br />OpenBao audit options are string-to-string; scalar JSON values are rendered as strings,<br />while nested objects and arrays are rejected. For HTTP headers, prefer httpOptions.headers. |  | Optional: \{\} <br /> |
 
 
 #### AutoRollbackConfig
@@ -642,7 +642,7 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `uri` _string_ | URI is the URI of the remote server where the audit logs will be written. |  | MinLength: 1 <br /> |
-| `headers` _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#json-v1-apiextensions-k8s-io)_ | Headers is a JSON object describing headers. Must take the shape map[string][]string,<br />i.e., an object of headers, with each having one or more values.<br />Headers without values will be ignored. |  | Optional: \{\} <br /> |
+| `headers` _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#json-v1-apiextensions-k8s-io)_ | Headers is a JSON object describing headers. Must take the shape map[string][]string,<br />i.e., an object of headers, with each having one or more values.<br />Headers without values will be ignored. The operator renders this object as OpenBao's<br />expected JSON-encoded options.headers string. |  | Optional: \{\} <br /> |
 
 
 #### ImageVerificationConfig