From 300df4e198e1be557d2832778c0d3222967d5ac0 Mon Sep 17 00:00:00 2001 From: Rafael da Fonseca Date: Tue, 15 Oct 2024 11:22:26 +0100 Subject: [PATCH 1/2] Update provider, add additional resources --- Makefile | 2 +- .../zz_authbackendrole_terraformed.go | 129 ++ apis/aws/v1alpha1/zz_authbackendrole_types.go | 698 +++++++++++ .../v1alpha1/zz_generated.conversion_hubs.go | 10 + apis/aws/v1alpha1/zz_generated.deepcopy.go | 780 ++++++++++++ apis/aws/v1alpha1/zz_generated.managed.go | 68 ++ apis/aws/v1alpha1/zz_generated.managedlist.go | 17 + apis/aws/v1alpha1/zz_groupversion_info.go | 32 + .../zz_authbackendrole_terraformed.go | 129 ++ apis/jwt/v1alpha1/zz_authbackendrole_types.go | 621 ++++++++++ .../v1alpha1/zz_generated.conversion_hubs.go | 10 + apis/jwt/v1alpha1/zz_generated.deepcopy.go | 748 ++++++++++++ apis/jwt/v1alpha1/zz_generated.managed.go | 68 ++ apis/jwt/v1alpha1/zz_generated.managedlist.go | 17 + apis/jwt/v1alpha1/zz_groupversion_info.go | 32 + .../v1alpha1/zz_generated.conversion_hubs.go | 10 + apis/vault/v1alpha1/zz_generated.deepcopy.go | 187 +++ apis/vault/v1alpha1/zz_generated.managed.go | 68 ++ .../v1alpha1/zz_generated.managedlist.go | 17 + apis/vault/v1alpha1/zz_groupversion_info.go | 32 + apis/vault/v1alpha1/zz_policy_terraformed.go | 129 ++ apis/vault/v1alpha1/zz_policy_types.go | 121 ++ apis/zz_register.go | 8 +- cmd/provider/main.go | 16 + config/external_name.go | 3 + .../aws/v1alpha1/authbackendrole.yaml | 33 + .../jwt/v1alpha1/authbackendrole.yaml | 22 + examples-generated/vault/v1alpha1/policy.yaml | 14 + go.mod | 70 +- go.sum | 139 ++- .../aws/authbackendrole/zz_controller.go | 88 ++ .../jwt/authbackendrole/zz_controller.go | 88 ++ .../controller/vault/policy/zz_controller.go | 88 ++ internal/controller/zz_setup.go | 10 +- ...aws.vault.upbound.io_authbackendroles.yaml | 1065 +++++++++++++++++ ...jwt.vault.upbound.io_authbackendroles.yaml | 968 +++++++++++++++ .../crds/vault.vault.upbound.io_policies.yaml | 370 ++++++ 37 files changed, 6798 insertions(+), 109 deletions(-) create mode 100755 apis/aws/v1alpha1/zz_authbackendrole_terraformed.go create mode 100755 apis/aws/v1alpha1/zz_authbackendrole_types.go create mode 100755 apis/aws/v1alpha1/zz_generated.conversion_hubs.go create mode 100644 apis/aws/v1alpha1/zz_generated.deepcopy.go create mode 100644 apis/aws/v1alpha1/zz_generated.managed.go create mode 100644 apis/aws/v1alpha1/zz_generated.managedlist.go create mode 100755 apis/aws/v1alpha1/zz_groupversion_info.go create mode 100755 apis/jwt/v1alpha1/zz_authbackendrole_terraformed.go create mode 100755 apis/jwt/v1alpha1/zz_authbackendrole_types.go create mode 100755 apis/jwt/v1alpha1/zz_generated.conversion_hubs.go create mode 100644 apis/jwt/v1alpha1/zz_generated.deepcopy.go create mode 100644 apis/jwt/v1alpha1/zz_generated.managed.go create mode 100644 apis/jwt/v1alpha1/zz_generated.managedlist.go create mode 100755 apis/jwt/v1alpha1/zz_groupversion_info.go create mode 100755 apis/vault/v1alpha1/zz_generated.conversion_hubs.go create mode 100644 apis/vault/v1alpha1/zz_generated.deepcopy.go create mode 100644 apis/vault/v1alpha1/zz_generated.managed.go create mode 100644 apis/vault/v1alpha1/zz_generated.managedlist.go create mode 100755 apis/vault/v1alpha1/zz_groupversion_info.go create mode 100755 apis/vault/v1alpha1/zz_policy_terraformed.go create mode 100755 apis/vault/v1alpha1/zz_policy_types.go create mode 100644 examples-generated/aws/v1alpha1/authbackendrole.yaml create mode 100644 examples-generated/jwt/v1alpha1/authbackendrole.yaml create mode 100644 examples-generated/vault/v1alpha1/policy.yaml create mode 100755 internal/controller/aws/authbackendrole/zz_controller.go create mode 100755 internal/controller/jwt/authbackendrole/zz_controller.go create mode 100755 internal/controller/vault/policy/zz_controller.go create mode 100644 package/crds/aws.vault.upbound.io_authbackendroles.yaml create mode 100644 package/crds/jwt.vault.upbound.io_authbackendroles.yaml create mode 100644 package/crds/vault.vault.upbound.io_policies.yaml diff --git a/Makefile b/Makefile index ada3701..eff8d84 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ export TERRAFORM_PROVIDER_VERSION ?= 4.3.0 export TERRAFORM_PROVIDER_DOWNLOAD_NAME ?= terraform-provider-vault export TERRAFORM_DOCS_PATH ?= website/docs/r -CROSSPLANE_VERSION ?= 1.16.0 +CROSSPLANE_VERSION ?= 1.17.1 PLATFORMS ?= linux_amd64 linux_arm64 diff --git a/apis/aws/v1alpha1/zz_authbackendrole_terraformed.go b/apis/aws/v1alpha1/zz_authbackendrole_terraformed.go new file mode 100755 index 0000000..4c6ed6c --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole +func (mg *AuthBackendRole) GetTerraformResourceType() string { + return "vault_aws_auth_backend_role" +} + +// GetConnectionDetailsMapping for this AuthBackendRole +func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendRole +func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendRole +func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendRole +func (tr *AuthBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendRole +func (tr *AuthBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_authbackendrole_types.go b/apis/aws/v1alpha1/zz_authbackendrole_types.go new file mode 100755 index 0000000..43e00d3 --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendrole_types.go @@ -0,0 +1,698 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/apis/common/v1" +) + +type AuthBackendRoleInitParameters struct { + + // If set to true, allows migration of + // the underlying instance where the client resides. + // When true, allows migration of the underlying instance where the client resides. Use with caution. + AllowInstanceMigration *bool `json:"allowInstanceMigration,omitempty" tf:"allow_instance_migration,omitempty"` + + // The auth type permitted for this role. Valid choices + // are ec2 and iam. Defaults to iam. + // The auth type permitted for this role. + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + + // Path to the mounted aws auth backend. + // Unique name of the auth backend to configure. + Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + + // If set, defines a constraint on the EC2 instances + // that can perform the login operation that they should be using the AMI ID + // specified by this field. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances using this AMI ID will be permitted to log in. + // +listType=set + BoundAMIIds []*string `json:"boundAmiIds,omitempty" tf:"bound_ami_ids,omitempty"` + + // If set, defines a constraint on the EC2 + // instances that can perform the login operation that they should be using the + // account ID specified by this field. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances with this account ID in their identity document will be permitted to log in. + // +listType=set + BoundAccountIds []*string `json:"boundAccountIds,omitempty" tf:"bound_account_ids,omitempty"` + + // Only EC2 instances that match this instance ID will be permitted to log in. + // +listType=set + BoundEC2InstanceIds []*string `json:"boundEc2InstanceIds,omitempty" tf:"bound_ec2_instance_ids,omitempty"` + + // If set, defines a constraint on + // the EC2 instances that can perform the login operation that they must be + // associated with an IAM instance profile ARN which has a prefix that matches + // the value specified by this field. The value is prefix-matched as though it + // were a glob ending in *. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + // +listType=set + BoundIAMInstanceProfileArns []*string `json:"boundIamInstanceProfileArns,omitempty" tf:"bound_iam_instance_profile_arns,omitempty"` + + // If set, defines the IAM principal that + // must be authenticated when auth_type is set to iam. Wildcards are + // supported at the end of the ARN. + // The IAM principal that must be authenticated using the iam auth method. + // +listType=set + BoundIAMPrincipalArns []*string `json:"boundIamPrincipalArns,omitempty" tf:"bound_iam_principal_arns,omitempty"` + + // If set, defines a constraint on the EC2 + // instances that can perform the login operation that they must match the IAM + // role ARN specified by this field. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances that match this IAM role ARN will be permitted to log in. + // +listType=set + BoundIAMRoleArns []*string `json:"boundIamRoleArns,omitempty" tf:"bound_iam_role_arns,omitempty"` + + // If set, defines a constraint on the EC2 instances + // that can perform the login operation that the region in their identity + // document must match the one specified by this field. auth_type must be set + // to ec2 or inferred_entity_type must be set to ec2_instance to use this + // constraint. + // Only EC2 instances in this region will be permitted to log in. + // +listType=set + BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"` + + // If set, defines a constraint on the EC2 + // instances that can perform the login operation that they be associated with + // the subnet ID that matches the value specified by this field. auth_type + // must be set to ec2 or inferred_entity_type must be set to ec2_instance + // to use this constraint. + // Only EC2 instances associated with this subnet ID will be permitted to log in. + // +listType=set + BoundSubnetIds []*string `json:"boundSubnetIds,omitempty" tf:"bound_subnet_ids,omitempty"` + + // If set, defines a constraint on the EC2 instances + // that can perform the login operation that they be associated with the VPC ID + // that matches the value specified by this field. auth_type must be set to + // ec2 or inferred_entity_type must be set to ec2_instance to use this + // constraint. + // Only EC2 instances associated with this VPC ID will be permitted to log in. + // +listType=set + BoundVPCIds []*string `json:"boundVpcIds,omitempty" tf:"bound_vpc_ids,omitempty"` + + // IF set to true, only allows a + // single token to be granted per instance ID. This can only be set when + // auth_type is set to ec2. + // When true, only allows a single token to be granted per instance ID. + DisallowReauthentication *bool `json:"disallowReauthentication,omitempty" tf:"disallow_reauthentication,omitempty"` + + // When inferred_entity_type is set, this + // is the region to search for the inferred entities. Required if + // inferred_entity_type is set. This only applies when auth_type is set to + // iam. + // The region to search for the inferred entities in. + InferredAwsRegion *string `json:"inferredAwsRegion,omitempty" tf:"inferred_aws_region,omitempty"` + + // If set, instructs Vault to turn on + // inferencing. The only valid value is ec2_instance, which instructs Vault to + // infer that the role comes from an EC2 instance in an IAM instance profile. + // This only applies when auth_type is set to iam. + // The type of inferencing Vault should do. + InferredEntityType *string `json:"inferredEntityType,omitempty" tf:"inferred_entity_type,omitempty"` + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + // Only valid when + // auth_type is iam. If set to true, the bound_iam_principal_arns are + // resolved to AWS Unique + // IDs + // for the bound principal ARN. This field is ignored when a + // bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more + // closely mimics the behavior of AWS services in that if an IAM user or role is + // deleted and a new one is recreated with the same name, those new users or + // roles won't get access to roles in Vault that were permissioned to the prior + // principals of the same name. Defaults to true. + // Once set to true, this cannot be changed to false without recreating the role. + // Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. + ResolveAwsUniqueIds *bool `json:"resolveAwsUniqueIds,omitempty" tf:"resolve_aws_unique_ids,omitempty"` + + // The name of the role. + // Name of the role. + Role *string `json:"role,omitempty" tf:"role,omitempty"` + + // If set, enable role tags for this role. The value set + // for this field should be the key of the tag on the EC2 instance. auth_type + // must be set to ec2 or inferred_entity_type must be set to ec2_instance + // to use this constraint. + // The key of the tag on EC2 instance to use for role tags. + RoleTag *string `json:"roleTag,omitempty" tf:"role_tag,omitempty"` + + // List of CIDR blocks; if set, specifies blocks of IP + // addresses which can authenticate successfully, and ties the resulting token to these blocks + // as well. + // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // If set, will encode an + // explicit max TTL + // onto the token in number of seconds. This is a hard cap even if token_ttl and + // token_max_ttl would otherwise allow a renewal. + // Generated Token's Explicit Maximum TTL in seconds + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The maximum lifetime of the generated token + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If set, the default policy will not be set on + // generated tokens; otherwise it will be added to the policies set in token_policies. + // If true, the 'default' policy will not automatically be added to generated tokens + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number + // of times a generated token may be used (within its lifetime); 0 means unlimited. + // The maximum number of times a token may be used, a value of zero means unlimited + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // If set, indicates that the + // token generated using this role should never expire. The token should be renewed within the + // duration specified by this value. At each renewal, the token's TTL will be set to the + // value of this field. Specified in seconds. + // Generated Token's Period + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // List of policies to encode onto generated tokens. Depending + // on the auth method, this list may be supplemented by user/group/other values. + // Generated Token's Policies + // +listType=set + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + + // The incremental lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The initial ttl of the token to generate in seconds + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token that should be generated. Can be service, + // batch, or default to use the mount's tuned default (which unless changed will be + // service tokens). For token store roles, there are two additional possibilities: + // default-service and default-batch which specify the type to return unless the client + // requests a different type at generation time. + // The type of token to generate, service or batch + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` +} + +type AuthBackendRoleObservation struct { + + // If set to true, allows migration of + // the underlying instance where the client resides. + // When true, allows migration of the underlying instance where the client resides. Use with caution. + AllowInstanceMigration *bool `json:"allowInstanceMigration,omitempty" tf:"allow_instance_migration,omitempty"` + + // The auth type permitted for this role. Valid choices + // are ec2 and iam. Defaults to iam. + // The auth type permitted for this role. + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + + // Path to the mounted aws auth backend. + // Unique name of the auth backend to configure. + Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + + // If set, defines a constraint on the EC2 instances + // that can perform the login operation that they should be using the AMI ID + // specified by this field. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances using this AMI ID will be permitted to log in. + // +listType=set + BoundAMIIds []*string `json:"boundAmiIds,omitempty" tf:"bound_ami_ids,omitempty"` + + // If set, defines a constraint on the EC2 + // instances that can perform the login operation that they should be using the + // account ID specified by this field. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances with this account ID in their identity document will be permitted to log in. + // +listType=set + BoundAccountIds []*string `json:"boundAccountIds,omitempty" tf:"bound_account_ids,omitempty"` + + // Only EC2 instances that match this instance ID will be permitted to log in. + // +listType=set + BoundEC2InstanceIds []*string `json:"boundEc2InstanceIds,omitempty" tf:"bound_ec2_instance_ids,omitempty"` + + // If set, defines a constraint on + // the EC2 instances that can perform the login operation that they must be + // associated with an IAM instance profile ARN which has a prefix that matches + // the value specified by this field. The value is prefix-matched as though it + // were a glob ending in *. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + // +listType=set + BoundIAMInstanceProfileArns []*string `json:"boundIamInstanceProfileArns,omitempty" tf:"bound_iam_instance_profile_arns,omitempty"` + + // If set, defines the IAM principal that + // must be authenticated when auth_type is set to iam. Wildcards are + // supported at the end of the ARN. + // The IAM principal that must be authenticated using the iam auth method. + // +listType=set + BoundIAMPrincipalArns []*string `json:"boundIamPrincipalArns,omitempty" tf:"bound_iam_principal_arns,omitempty"` + + // If set, defines a constraint on the EC2 + // instances that can perform the login operation that they must match the IAM + // role ARN specified by this field. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances that match this IAM role ARN will be permitted to log in. + // +listType=set + BoundIAMRoleArns []*string `json:"boundIamRoleArns,omitempty" tf:"bound_iam_role_arns,omitempty"` + + // If set, defines a constraint on the EC2 instances + // that can perform the login operation that the region in their identity + // document must match the one specified by this field. auth_type must be set + // to ec2 or inferred_entity_type must be set to ec2_instance to use this + // constraint. + // Only EC2 instances in this region will be permitted to log in. + // +listType=set + BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"` + + // If set, defines a constraint on the EC2 + // instances that can perform the login operation that they be associated with + // the subnet ID that matches the value specified by this field. auth_type + // must be set to ec2 or inferred_entity_type must be set to ec2_instance + // to use this constraint. + // Only EC2 instances associated with this subnet ID will be permitted to log in. + // +listType=set + BoundSubnetIds []*string `json:"boundSubnetIds,omitempty" tf:"bound_subnet_ids,omitempty"` + + // If set, defines a constraint on the EC2 instances + // that can perform the login operation that they be associated with the VPC ID + // that matches the value specified by this field. auth_type must be set to + // ec2 or inferred_entity_type must be set to ec2_instance to use this + // constraint. + // Only EC2 instances associated with this VPC ID will be permitted to log in. + // +listType=set + BoundVPCIds []*string `json:"boundVpcIds,omitempty" tf:"bound_vpc_ids,omitempty"` + + // IF set to true, only allows a + // single token to be granted per instance ID. This can only be set when + // auth_type is set to ec2. + // When true, only allows a single token to be granted per instance ID. + DisallowReauthentication *bool `json:"disallowReauthentication,omitempty" tf:"disallow_reauthentication,omitempty"` + + ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // When inferred_entity_type is set, this + // is the region to search for the inferred entities. Required if + // inferred_entity_type is set. This only applies when auth_type is set to + // iam. + // The region to search for the inferred entities in. + InferredAwsRegion *string `json:"inferredAwsRegion,omitempty" tf:"inferred_aws_region,omitempty"` + + // If set, instructs Vault to turn on + // inferencing. The only valid value is ec2_instance, which instructs Vault to + // infer that the role comes from an EC2 instance in an IAM instance profile. + // This only applies when auth_type is set to iam. + // The type of inferencing Vault should do. + InferredEntityType *string `json:"inferredEntityType,omitempty" tf:"inferred_entity_type,omitempty"` + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + // Only valid when + // auth_type is iam. If set to true, the bound_iam_principal_arns are + // resolved to AWS Unique + // IDs + // for the bound principal ARN. This field is ignored when a + // bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more + // closely mimics the behavior of AWS services in that if an IAM user or role is + // deleted and a new one is recreated with the same name, those new users or + // roles won't get access to roles in Vault that were permissioned to the prior + // principals of the same name. Defaults to true. + // Once set to true, this cannot be changed to false without recreating the role. + // Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. + ResolveAwsUniqueIds *bool `json:"resolveAwsUniqueIds,omitempty" tf:"resolve_aws_unique_ids,omitempty"` + + // The name of the role. + // Name of the role. + Role *string `json:"role,omitempty" tf:"role,omitempty"` + + // The Vault generated role ID. + // The Vault generated role ID. + RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"` + + // If set, enable role tags for this role. The value set + // for this field should be the key of the tag on the EC2 instance. auth_type + // must be set to ec2 or inferred_entity_type must be set to ec2_instance + // to use this constraint. + // The key of the tag on EC2 instance to use for role tags. + RoleTag *string `json:"roleTag,omitempty" tf:"role_tag,omitempty"` + + // List of CIDR blocks; if set, specifies blocks of IP + // addresses which can authenticate successfully, and ties the resulting token to these blocks + // as well. + // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // If set, will encode an + // explicit max TTL + // onto the token in number of seconds. This is a hard cap even if token_ttl and + // token_max_ttl would otherwise allow a renewal. + // Generated Token's Explicit Maximum TTL in seconds + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The maximum lifetime of the generated token + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If set, the default policy will not be set on + // generated tokens; otherwise it will be added to the policies set in token_policies. + // If true, the 'default' policy will not automatically be added to generated tokens + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number + // of times a generated token may be used (within its lifetime); 0 means unlimited. + // The maximum number of times a token may be used, a value of zero means unlimited + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // If set, indicates that the + // token generated using this role should never expire. The token should be renewed within the + // duration specified by this value. At each renewal, the token's TTL will be set to the + // value of this field. Specified in seconds. + // Generated Token's Period + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // List of policies to encode onto generated tokens. Depending + // on the auth method, this list may be supplemented by user/group/other values. + // Generated Token's Policies + // +listType=set + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + + // The incremental lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The initial ttl of the token to generate in seconds + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token that should be generated. Can be service, + // batch, or default to use the mount's tuned default (which unless changed will be + // service tokens). For token store roles, there are two additional possibilities: + // default-service and default-batch which specify the type to return unless the client + // requests a different type at generation time. + // The type of token to generate, service or batch + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` +} + +type AuthBackendRoleParameters struct { + + // If set to true, allows migration of + // the underlying instance where the client resides. + // When true, allows migration of the underlying instance where the client resides. Use with caution. + // +kubebuilder:validation:Optional + AllowInstanceMigration *bool `json:"allowInstanceMigration,omitempty" tf:"allow_instance_migration,omitempty"` + + // The auth type permitted for this role. Valid choices + // are ec2 and iam. Defaults to iam. + // The auth type permitted for this role. + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + + // Path to the mounted aws auth backend. + // Unique name of the auth backend to configure. + // +kubebuilder:validation:Optional + Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + + // If set, defines a constraint on the EC2 instances + // that can perform the login operation that they should be using the AMI ID + // specified by this field. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances using this AMI ID will be permitted to log in. + // +kubebuilder:validation:Optional + // +listType=set + BoundAMIIds []*string `json:"boundAmiIds,omitempty" tf:"bound_ami_ids,omitempty"` + + // If set, defines a constraint on the EC2 + // instances that can perform the login operation that they should be using the + // account ID specified by this field. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances with this account ID in their identity document will be permitted to log in. + // +kubebuilder:validation:Optional + // +listType=set + BoundAccountIds []*string `json:"boundAccountIds,omitempty" tf:"bound_account_ids,omitempty"` + + // Only EC2 instances that match this instance ID will be permitted to log in. + // +kubebuilder:validation:Optional + // +listType=set + BoundEC2InstanceIds []*string `json:"boundEc2InstanceIds,omitempty" tf:"bound_ec2_instance_ids,omitempty"` + + // If set, defines a constraint on + // the EC2 instances that can perform the login operation that they must be + // associated with an IAM instance profile ARN which has a prefix that matches + // the value specified by this field. The value is prefix-matched as though it + // were a glob ending in *. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + // +kubebuilder:validation:Optional + // +listType=set + BoundIAMInstanceProfileArns []*string `json:"boundIamInstanceProfileArns,omitempty" tf:"bound_iam_instance_profile_arns,omitempty"` + + // If set, defines the IAM principal that + // must be authenticated when auth_type is set to iam. Wildcards are + // supported at the end of the ARN. + // The IAM principal that must be authenticated using the iam auth method. + // +kubebuilder:validation:Optional + // +listType=set + BoundIAMPrincipalArns []*string `json:"boundIamPrincipalArns,omitempty" tf:"bound_iam_principal_arns,omitempty"` + + // If set, defines a constraint on the EC2 + // instances that can perform the login operation that they must match the IAM + // role ARN specified by this field. auth_type must be set to ec2 or + // inferred_entity_type must be set to ec2_instance to use this constraint. + // Only EC2 instances that match this IAM role ARN will be permitted to log in. + // +kubebuilder:validation:Optional + // +listType=set + BoundIAMRoleArns []*string `json:"boundIamRoleArns,omitempty" tf:"bound_iam_role_arns,omitempty"` + + // If set, defines a constraint on the EC2 instances + // that can perform the login operation that the region in their identity + // document must match the one specified by this field. auth_type must be set + // to ec2 or inferred_entity_type must be set to ec2_instance to use this + // constraint. + // Only EC2 instances in this region will be permitted to log in. + // +kubebuilder:validation:Optional + // +listType=set + BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"` + + // If set, defines a constraint on the EC2 + // instances that can perform the login operation that they be associated with + // the subnet ID that matches the value specified by this field. auth_type + // must be set to ec2 or inferred_entity_type must be set to ec2_instance + // to use this constraint. + // Only EC2 instances associated with this subnet ID will be permitted to log in. + // +kubebuilder:validation:Optional + // +listType=set + BoundSubnetIds []*string `json:"boundSubnetIds,omitempty" tf:"bound_subnet_ids,omitempty"` + + // If set, defines a constraint on the EC2 instances + // that can perform the login operation that they be associated with the VPC ID + // that matches the value specified by this field. auth_type must be set to + // ec2 or inferred_entity_type must be set to ec2_instance to use this + // constraint. + // Only EC2 instances associated with this VPC ID will be permitted to log in. + // +kubebuilder:validation:Optional + // +listType=set + BoundVPCIds []*string `json:"boundVpcIds,omitempty" tf:"bound_vpc_ids,omitempty"` + + // IF set to true, only allows a + // single token to be granted per instance ID. This can only be set when + // auth_type is set to ec2. + // When true, only allows a single token to be granted per instance ID. + // +kubebuilder:validation:Optional + DisallowReauthentication *bool `json:"disallowReauthentication,omitempty" tf:"disallow_reauthentication,omitempty"` + + // When inferred_entity_type is set, this + // is the region to search for the inferred entities. Required if + // inferred_entity_type is set. This only applies when auth_type is set to + // iam. + // The region to search for the inferred entities in. + // +kubebuilder:validation:Optional + InferredAwsRegion *string `json:"inferredAwsRegion,omitempty" tf:"inferred_aws_region,omitempty"` + + // If set, instructs Vault to turn on + // inferencing. The only valid value is ec2_instance, which instructs Vault to + // infer that the role comes from an EC2 instance in an IAM instance profile. + // This only applies when auth_type is set to iam. + // The type of inferencing Vault should do. + // +kubebuilder:validation:Optional + InferredEntityType *string `json:"inferredEntityType,omitempty" tf:"inferred_entity_type,omitempty"` + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + // +kubebuilder:validation:Optional + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + // Only valid when + // auth_type is iam. If set to true, the bound_iam_principal_arns are + // resolved to AWS Unique + // IDs + // for the bound principal ARN. This field is ignored when a + // bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more + // closely mimics the behavior of AWS services in that if an IAM user or role is + // deleted and a new one is recreated with the same name, those new users or + // roles won't get access to roles in Vault that were permissioned to the prior + // principals of the same name. Defaults to true. + // Once set to true, this cannot be changed to false without recreating the role. + // Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. + // +kubebuilder:validation:Optional + ResolveAwsUniqueIds *bool `json:"resolveAwsUniqueIds,omitempty" tf:"resolve_aws_unique_ids,omitempty"` + + // The name of the role. + // Name of the role. + // +kubebuilder:validation:Optional + Role *string `json:"role,omitempty" tf:"role,omitempty"` + + // If set, enable role tags for this role. The value set + // for this field should be the key of the tag on the EC2 instance. auth_type + // must be set to ec2 or inferred_entity_type must be set to ec2_instance + // to use this constraint. + // The key of the tag on EC2 instance to use for role tags. + // +kubebuilder:validation:Optional + RoleTag *string `json:"roleTag,omitempty" tf:"role_tag,omitempty"` + + // List of CIDR blocks; if set, specifies blocks of IP + // addresses which can authenticate successfully, and ties the resulting token to these blocks + // as well. + // Specifies the blocks of IP addresses which are allowed to use the generated token + // +kubebuilder:validation:Optional + // +listType=set + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // If set, will encode an + // explicit max TTL + // onto the token in number of seconds. This is a hard cap even if token_ttl and + // token_max_ttl would otherwise allow a renewal. + // Generated Token's Explicit Maximum TTL in seconds + // +kubebuilder:validation:Optional + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The maximum lifetime of the generated token + // +kubebuilder:validation:Optional + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If set, the default policy will not be set on + // generated tokens; otherwise it will be added to the policies set in token_policies. + // If true, the 'default' policy will not automatically be added to generated tokens + // +kubebuilder:validation:Optional + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number + // of times a generated token may be used (within its lifetime); 0 means unlimited. + // The maximum number of times a token may be used, a value of zero means unlimited + // +kubebuilder:validation:Optional + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // If set, indicates that the + // token generated using this role should never expire. The token should be renewed within the + // duration specified by this value. At each renewal, the token's TTL will be set to the + // value of this field. Specified in seconds. + // Generated Token's Period + // +kubebuilder:validation:Optional + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // List of policies to encode onto generated tokens. Depending + // on the auth method, this list may be supplemented by user/group/other values. + // Generated Token's Policies + // +kubebuilder:validation:Optional + // +listType=set + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + + // The incremental lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The initial ttl of the token to generate in seconds + // +kubebuilder:validation:Optional + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token that should be generated. Can be service, + // batch, or default to use the mount's tuned default (which unless changed will be + // service tokens). For token store roles, there are two additional possibilities: + // default-service and default-batch which specify the type to return unless the client + // requests a different type at generation time. + // The type of token to generate, service or batch + // +kubebuilder:validation:Optional + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` +} + +// AuthBackendRoleSpec defines the desired state of AuthBackendRole +type AuthBackendRoleSpec struct { + v1.ResourceSpec `json:",inline"` + ForProvider AuthBackendRoleParameters `json:"forProvider"` + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. + // InitProvider holds the same fields as ForProvider, with the exception + // of Identifier and other resource reference fields. The fields that are + // in InitProvider are merged into ForProvider when the resource is created. + // The same fields are also added to the terraform ignore_changes hook, to + // avoid updating them after creation. This is useful for fields that are + // required on creation, but we do not desire to update them after creation, + // for example because of an external controller is managing them, like an + // autoscaler. + InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"` +} + +// AuthBackendRoleStatus defines the observed state of AuthBackendRole. +type AuthBackendRoleStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider AuthBackendRoleObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion + +// AuthBackendRole is the Schema for the AuthBackendRoles API. Manages AWS auth backend roles in Vault. +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} +type AuthBackendRole struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || (has(self.initProvider) && has(self.initProvider.role))",message="spec.forProvider.role is a required parameter" + Spec AuthBackendRoleSpec `json:"spec"` + Status AuthBackendRoleStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// AuthBackendRoleList contains a list of AuthBackendRoles +type AuthBackendRoleList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []AuthBackendRole `json:"items"` +} + +// Repository type metadata. +var ( + AuthBackendRole_Kind = "AuthBackendRole" + AuthBackendRole_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: AuthBackendRole_Kind}.String() + AuthBackendRole_KindAPIVersion = AuthBackendRole_Kind + "." + CRDGroupVersion.String() + AuthBackendRole_GroupVersionKind = CRDGroupVersion.WithKind(AuthBackendRole_Kind) +) + +func init() { + SchemeBuilder.Register(&AuthBackendRole{}, &AuthBackendRoleList{}) +} diff --git a/apis/aws/v1alpha1/zz_generated.conversion_hubs.go b/apis/aws/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 0000000..ee67874 --- /dev/null +++ b/apis/aws/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} diff --git a/apis/aws/v1alpha1/zz_generated.deepcopy.go b/apis/aws/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 0000000..8727252 --- /dev/null +++ b/apis/aws/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,780 @@ +//go:build !ignore_autogenerated + +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRole) DeepCopyInto(out *AuthBackendRole) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRole. +func (in *AuthBackendRole) DeepCopy() *AuthBackendRole { + if in == nil { + return nil + } + out := new(AuthBackendRole) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AuthBackendRole) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) { + *out = *in + if in.AllowInstanceMigration != nil { + in, out := &in.AllowInstanceMigration, &out.AllowInstanceMigration + *out = new(bool) + **out = **in + } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } + if in.Backend != nil { + in, out := &in.Backend, &out.Backend + *out = new(string) + **out = **in + } + if in.BoundAMIIds != nil { + in, out := &in.BoundAMIIds, &out.BoundAMIIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundAccountIds != nil { + in, out := &in.BoundAccountIds, &out.BoundAccountIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundEC2InstanceIds != nil { + in, out := &in.BoundEC2InstanceIds, &out.BoundEC2InstanceIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundIAMInstanceProfileArns != nil { + in, out := &in.BoundIAMInstanceProfileArns, &out.BoundIAMInstanceProfileArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundIAMPrincipalArns != nil { + in, out := &in.BoundIAMPrincipalArns, &out.BoundIAMPrincipalArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundIAMRoleArns != nil { + in, out := &in.BoundIAMRoleArns, &out.BoundIAMRoleArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundRegions != nil { + in, out := &in.BoundRegions, &out.BoundRegions + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundSubnetIds != nil { + in, out := &in.BoundSubnetIds, &out.BoundSubnetIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundVPCIds != nil { + in, out := &in.BoundVPCIds, &out.BoundVPCIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DisallowReauthentication != nil { + in, out := &in.DisallowReauthentication, &out.DisallowReauthentication + *out = new(bool) + **out = **in + } + if in.InferredAwsRegion != nil { + in, out := &in.InferredAwsRegion, &out.InferredAwsRegion + *out = new(string) + **out = **in + } + if in.InferredEntityType != nil { + in, out := &in.InferredEntityType, &out.InferredEntityType + *out = new(string) + **out = **in + } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } + if in.ResolveAwsUniqueIds != nil { + in, out := &in.ResolveAwsUniqueIds, &out.ResolveAwsUniqueIds + *out = new(bool) + **out = **in + } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } + if in.RoleTag != nil { + in, out := &in.RoleTag, &out.RoleTag + *out = new(string) + **out = **in + } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters. +func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters { + if in == nil { + return nil + } + out := new(AuthBackendRoleInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]AuthBackendRole, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleList. +func (in *AuthBackendRoleList) DeepCopy() *AuthBackendRoleList { + if in == nil { + return nil + } + out := new(AuthBackendRoleList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AuthBackendRoleList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleObservation) DeepCopyInto(out *AuthBackendRoleObservation) { + *out = *in + if in.AllowInstanceMigration != nil { + in, out := &in.AllowInstanceMigration, &out.AllowInstanceMigration + *out = new(bool) + **out = **in + } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } + if in.Backend != nil { + in, out := &in.Backend, &out.Backend + *out = new(string) + **out = **in + } + if in.BoundAMIIds != nil { + in, out := &in.BoundAMIIds, &out.BoundAMIIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundAccountIds != nil { + in, out := &in.BoundAccountIds, &out.BoundAccountIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundEC2InstanceIds != nil { + in, out := &in.BoundEC2InstanceIds, &out.BoundEC2InstanceIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundIAMInstanceProfileArns != nil { + in, out := &in.BoundIAMInstanceProfileArns, &out.BoundIAMInstanceProfileArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundIAMPrincipalArns != nil { + in, out := &in.BoundIAMPrincipalArns, &out.BoundIAMPrincipalArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundIAMRoleArns != nil { + in, out := &in.BoundIAMRoleArns, &out.BoundIAMRoleArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundRegions != nil { + in, out := &in.BoundRegions, &out.BoundRegions + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundSubnetIds != nil { + in, out := &in.BoundSubnetIds, &out.BoundSubnetIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundVPCIds != nil { + in, out := &in.BoundVPCIds, &out.BoundVPCIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DisallowReauthentication != nil { + in, out := &in.DisallowReauthentication, &out.DisallowReauthentication + *out = new(bool) + **out = **in + } + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } + if in.InferredAwsRegion != nil { + in, out := &in.InferredAwsRegion, &out.InferredAwsRegion + *out = new(string) + **out = **in + } + if in.InferredEntityType != nil { + in, out := &in.InferredEntityType, &out.InferredEntityType + *out = new(string) + **out = **in + } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } + if in.ResolveAwsUniqueIds != nil { + in, out := &in.ResolveAwsUniqueIds, &out.ResolveAwsUniqueIds + *out = new(bool) + **out = **in + } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } + if in.RoleID != nil { + in, out := &in.RoleID, &out.RoleID + *out = new(string) + **out = **in + } + if in.RoleTag != nil { + in, out := &in.RoleTag, &out.RoleTag + *out = new(string) + **out = **in + } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleObservation. +func (in *AuthBackendRoleObservation) DeepCopy() *AuthBackendRoleObservation { + if in == nil { + return nil + } + out := new(AuthBackendRoleObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters) { + *out = *in + if in.AllowInstanceMigration != nil { + in, out := &in.AllowInstanceMigration, &out.AllowInstanceMigration + *out = new(bool) + **out = **in + } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } + if in.Backend != nil { + in, out := &in.Backend, &out.Backend + *out = new(string) + **out = **in + } + if in.BoundAMIIds != nil { + in, out := &in.BoundAMIIds, &out.BoundAMIIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundAccountIds != nil { + in, out := &in.BoundAccountIds, &out.BoundAccountIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundEC2InstanceIds != nil { + in, out := &in.BoundEC2InstanceIds, &out.BoundEC2InstanceIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundIAMInstanceProfileArns != nil { + in, out := &in.BoundIAMInstanceProfileArns, &out.BoundIAMInstanceProfileArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundIAMPrincipalArns != nil { + in, out := &in.BoundIAMPrincipalArns, &out.BoundIAMPrincipalArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundIAMRoleArns != nil { + in, out := &in.BoundIAMRoleArns, &out.BoundIAMRoleArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundRegions != nil { + in, out := &in.BoundRegions, &out.BoundRegions + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundSubnetIds != nil { + in, out := &in.BoundSubnetIds, &out.BoundSubnetIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundVPCIds != nil { + in, out := &in.BoundVPCIds, &out.BoundVPCIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DisallowReauthentication != nil { + in, out := &in.DisallowReauthentication, &out.DisallowReauthentication + *out = new(bool) + **out = **in + } + if in.InferredAwsRegion != nil { + in, out := &in.InferredAwsRegion, &out.InferredAwsRegion + *out = new(string) + **out = **in + } + if in.InferredEntityType != nil { + in, out := &in.InferredEntityType, &out.InferredEntityType + *out = new(string) + **out = **in + } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } + if in.ResolveAwsUniqueIds != nil { + in, out := &in.ResolveAwsUniqueIds, &out.ResolveAwsUniqueIds + *out = new(bool) + **out = **in + } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } + if in.RoleTag != nil { + in, out := &in.RoleTag, &out.RoleTag + *out = new(string) + **out = **in + } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleParameters. +func (in *AuthBackendRoleParameters) DeepCopy() *AuthBackendRoleParameters { + if in == nil { + return nil + } + out := new(AuthBackendRoleParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) + in.InitProvider.DeepCopyInto(&out.InitProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec. +func (in *AuthBackendRoleSpec) DeepCopy() *AuthBackendRoleSpec { + if in == nil { + return nil + } + out := new(AuthBackendRoleSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleStatus) DeepCopyInto(out *AuthBackendRoleStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleStatus. +func (in *AuthBackendRoleStatus) DeepCopy() *AuthBackendRoleStatus { + if in == nil { + return nil + } + out := new(AuthBackendRoleStatus) + in.DeepCopyInto(out) + return out +} diff --git a/apis/aws/v1alpha1/zz_generated.managed.go b/apis/aws/v1alpha1/zz_generated.managed.go new file mode 100644 index 0000000..e2e30b5 --- /dev/null +++ b/apis/aws/v1alpha1/zz_generated.managed.go @@ -0,0 +1,68 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + +// GetCondition of this AuthBackendRole. +func (mg *AuthBackendRole) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this AuthBackendRole. +func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetManagementPolicies of this AuthBackendRole. +func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies { + return mg.Spec.ManagementPolicies +} + +// GetProviderConfigReference of this AuthBackendRole. +func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +// GetPublishConnectionDetailsTo of this AuthBackendRole. +func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this AuthBackendRole. +func (mg *AuthBackendRole) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this AuthBackendRole. +func (mg *AuthBackendRole) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this AuthBackendRole. +func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetManagementPolicies of this AuthBackendRole. +func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) { + mg.Spec.ManagementPolicies = r +} + +// SetProviderConfigReference of this AuthBackendRole. +func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +// SetPublishConnectionDetailsTo of this AuthBackendRole. +func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this AuthBackendRole. +func (mg *AuthBackendRole) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} diff --git a/apis/aws/v1alpha1/zz_generated.managedlist.go b/apis/aws/v1alpha1/zz_generated.managedlist.go new file mode 100644 index 0000000..50919b3 --- /dev/null +++ b/apis/aws/v1alpha1/zz_generated.managedlist.go @@ -0,0 +1,17 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import resource "github.com/crossplane/crossplane-runtime/pkg/resource" + +// GetItems of this AuthBackendRoleList. +func (l *AuthBackendRoleList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} diff --git a/apis/aws/v1alpha1/zz_groupversion_info.go b/apis/aws/v1alpha1/zz_groupversion_info.go new file mode 100755 index 0000000..59b90b0 --- /dev/null +++ b/apis/aws/v1alpha1/zz_groupversion_info.go @@ -0,0 +1,32 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +// +kubebuilder:object:generate=true +// +groupName=aws.vault.upbound.io +// +versionName=v1alpha1 +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +// Package type metadata. +const ( + CRDGroup = "aws.vault.upbound.io" + CRDVersion = "v1alpha1" +) + +var ( + // CRDGroupVersion is the API Group Version used to register the objects + CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) diff --git a/apis/jwt/v1alpha1/zz_authbackendrole_terraformed.go b/apis/jwt/v1alpha1/zz_authbackendrole_terraformed.go new file mode 100755 index 0000000..ad61d4b --- /dev/null +++ b/apis/jwt/v1alpha1/zz_authbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole +func (mg *AuthBackendRole) GetTerraformResourceType() string { + return "vault_jwt_auth_backend_role" +} + +// GetConnectionDetailsMapping for this AuthBackendRole +func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendRole +func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendRole +func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendRole +func (tr *AuthBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendRole +func (tr *AuthBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/jwt/v1alpha1/zz_authbackendrole_types.go b/apis/jwt/v1alpha1/zz_authbackendrole_types.go new file mode 100755 index 0000000..7f24af1 --- /dev/null +++ b/apis/jwt/v1alpha1/zz_authbackendrole_types.go @@ -0,0 +1,621 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/apis/common/v1" +) + +type AuthBackendRoleInitParameters struct { + + // The list of allowed values for redirect_uri during OIDC logins. + // Required for OIDC roles + // The list of allowed values for redirect_uri during OIDC logins. + // +listType=set + AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"` + + // The unique name of the auth backend to configure. + // Defaults to jwt. + // Unique name of the auth backend to configure. + Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + + // List of aud claims to match against. Any match is sufficient. + // List of aud claims to match against. Any match is sufficient. + // +listType=set + BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` + + // If set, a map of claims to values to match against. + // A claim's value must be a string, which may contain one value or multiple + // comma-separated values, e.g. "red" or "red,green,blue". + // Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + // +mapType=granular + BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"` + + // How to interpret values in the claims/values + // map (bound_claims): can be either string (exact match) or glob (wildcard + // match). Requires Vault 1.4.0 or above. + // How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). + BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"` + + // If set, requires that the sub claim matches + // this value. + // If set, requires that the sub claim matches this value. + BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"` + + // If set, a map of claims (keys) to be copied + // to specified metadata fields (values). + // Map of claims (keys) to be copied to specified metadata fields (values). + // +mapType=granular + ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"` + + // The amount of leeway to add to all claims to account for clock skew, in + // seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // Only applicable with "jwt" roles. + // The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"` + + // Disable bound claim value parsing. Useful when values contain commas. + DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` + + // The amount of leeway to add to expiration (exp) claims to account for + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + // Only applicable with "jwt" roles. + // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` + + // The claim to use to uniquely identify + // the set of groups to which the user belongs; this will be used as the names + // for the Identity group aliases created due to a successful login. The claim + // value must be a list of strings. + // The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. + GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"` + + // Specifies the allowable elapsed time in seconds since the last time + // the user was actively authenticated with the OIDC provider. + // Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. + MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"` + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + // The amount of leeway to add to not before (nbf) claims to account for + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + // Only applicable with "jwt" roles. + // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"` + + // If set, a list of OIDC scopes to be used with an OIDC role. + // The standard scope "openid" is automatically included and need not be specified. + // List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + // +listType=set + OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"` + + // The name of the role. + // Name of the role. + RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` + + // Type of role, either "oidc" (default) or "jwt". + // Type of role, either "oidc" (default) or "jwt" + RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"` + + // List of CIDR blocks; if set, specifies blocks of IP + // addresses which can authenticate successfully, and ties the resulting token to these blocks + // as well. + // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // If set, will encode an + // explicit max TTL + // onto the token in number of seconds. This is a hard cap even if token_ttl and + // token_max_ttl would otherwise allow a renewal. + // Generated Token's Explicit Maximum TTL in seconds + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The maximum lifetime of the generated token + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If set, the default policy will not be set on + // generated tokens; otherwise it will be added to the policies set in token_policies. + // If true, the 'default' policy will not automatically be added to generated tokens + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number + // of times a generated token may be used (within its lifetime); 0 means unlimited. + // The maximum number of times a token may be used, a value of zero means unlimited + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // If set, indicates that the + // token generated using this role should never expire. The token should be renewed within the + // duration specified by this value. At each renewal, the token's TTL will be set to the + // value of this field. Specified in seconds. + // Generated Token's Period + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // List of policies to encode onto generated tokens. Depending + // on the auth method, this list may be supplemented by user/group/other values. + // Generated Token's Policies + // +listType=set + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + + // The incremental lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The initial ttl of the token to generate in seconds + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token that should be generated. Can be service, + // batch, or default to use the mount's tuned default (which unless changed will be + // service tokens). For token store roles, there are two additional possibilities: + // default-service and default-batch which specify the type to return unless the client + // requests a different type at generation time. + // The type of token to generate, service or batch + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` + + // The claim to use to uniquely identify + // the user; this will be used as the name for the Identity entity alias created + // due to a successful login. + // The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. + UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"` + + // Specifies if the user_claim value uses + // JSON pointer + // syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + // Requires Vault 1.11+. + // Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"` + + // Log received OIDC tokens and claims when debug-level + // logging is active. Not recommended in production since sensitive information may be present + // in OIDC responses. + // Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. + VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"` +} + +type AuthBackendRoleObservation struct { + + // The list of allowed values for redirect_uri during OIDC logins. + // Required for OIDC roles + // The list of allowed values for redirect_uri during OIDC logins. + // +listType=set + AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"` + + // The unique name of the auth backend to configure. + // Defaults to jwt. + // Unique name of the auth backend to configure. + Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + + // List of aud claims to match against. Any match is sufficient. + // List of aud claims to match against. Any match is sufficient. + // +listType=set + BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` + + // If set, a map of claims to values to match against. + // A claim's value must be a string, which may contain one value or multiple + // comma-separated values, e.g. "red" or "red,green,blue". + // Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + // +mapType=granular + BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"` + + // How to interpret values in the claims/values + // map (bound_claims): can be either string (exact match) or glob (wildcard + // match). Requires Vault 1.4.0 or above. + // How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). + BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"` + + // If set, requires that the sub claim matches + // this value. + // If set, requires that the sub claim matches this value. + BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"` + + // If set, a map of claims (keys) to be copied + // to specified metadata fields (values). + // Map of claims (keys) to be copied to specified metadata fields (values). + // +mapType=granular + ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"` + + // The amount of leeway to add to all claims to account for clock skew, in + // seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // Only applicable with "jwt" roles. + // The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"` + + // Disable bound claim value parsing. Useful when values contain commas. + DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` + + // The amount of leeway to add to expiration (exp) claims to account for + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + // Only applicable with "jwt" roles. + // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` + + // The claim to use to uniquely identify + // the set of groups to which the user belongs; this will be used as the names + // for the Identity group aliases created due to a successful login. The claim + // value must be a list of strings. + // The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. + GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"` + + ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // Specifies the allowable elapsed time in seconds since the last time + // the user was actively authenticated with the OIDC provider. + // Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. + MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"` + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + // The amount of leeway to add to not before (nbf) claims to account for + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + // Only applicable with "jwt" roles. + // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"` + + // If set, a list of OIDC scopes to be used with an OIDC role. + // The standard scope "openid" is automatically included and need not be specified. + // List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + // +listType=set + OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"` + + // The name of the role. + // Name of the role. + RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` + + // Type of role, either "oidc" (default) or "jwt". + // Type of role, either "oidc" (default) or "jwt" + RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"` + + // List of CIDR blocks; if set, specifies blocks of IP + // addresses which can authenticate successfully, and ties the resulting token to these blocks + // as well. + // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // If set, will encode an + // explicit max TTL + // onto the token in number of seconds. This is a hard cap even if token_ttl and + // token_max_ttl would otherwise allow a renewal. + // Generated Token's Explicit Maximum TTL in seconds + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The maximum lifetime of the generated token + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If set, the default policy will not be set on + // generated tokens; otherwise it will be added to the policies set in token_policies. + // If true, the 'default' policy will not automatically be added to generated tokens + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number + // of times a generated token may be used (within its lifetime); 0 means unlimited. + // The maximum number of times a token may be used, a value of zero means unlimited + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // If set, indicates that the + // token generated using this role should never expire. The token should be renewed within the + // duration specified by this value. At each renewal, the token's TTL will be set to the + // value of this field. Specified in seconds. + // Generated Token's Period + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // List of policies to encode onto generated tokens. Depending + // on the auth method, this list may be supplemented by user/group/other values. + // Generated Token's Policies + // +listType=set + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + + // The incremental lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The initial ttl of the token to generate in seconds + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token that should be generated. Can be service, + // batch, or default to use the mount's tuned default (which unless changed will be + // service tokens). For token store roles, there are two additional possibilities: + // default-service and default-batch which specify the type to return unless the client + // requests a different type at generation time. + // The type of token to generate, service or batch + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` + + // The claim to use to uniquely identify + // the user; this will be used as the name for the Identity entity alias created + // due to a successful login. + // The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. + UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"` + + // Specifies if the user_claim value uses + // JSON pointer + // syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + // Requires Vault 1.11+. + // Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"` + + // Log received OIDC tokens and claims when debug-level + // logging is active. Not recommended in production since sensitive information may be present + // in OIDC responses. + // Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. + VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"` +} + +type AuthBackendRoleParameters struct { + + // The list of allowed values for redirect_uri during OIDC logins. + // Required for OIDC roles + // The list of allowed values for redirect_uri during OIDC logins. + // +kubebuilder:validation:Optional + // +listType=set + AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"` + + // The unique name of the auth backend to configure. + // Defaults to jwt. + // Unique name of the auth backend to configure. + // +kubebuilder:validation:Optional + Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + + // List of aud claims to match against. Any match is sufficient. + // List of aud claims to match against. Any match is sufficient. + // +kubebuilder:validation:Optional + // +listType=set + BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` + + // If set, a map of claims to values to match against. + // A claim's value must be a string, which may contain one value or multiple + // comma-separated values, e.g. "red" or "red,green,blue". + // Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + // +kubebuilder:validation:Optional + // +mapType=granular + BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"` + + // How to interpret values in the claims/values + // map (bound_claims): can be either string (exact match) or glob (wildcard + // match). Requires Vault 1.4.0 or above. + // How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). + // +kubebuilder:validation:Optional + BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"` + + // If set, requires that the sub claim matches + // this value. + // If set, requires that the sub claim matches this value. + // +kubebuilder:validation:Optional + BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"` + + // If set, a map of claims (keys) to be copied + // to specified metadata fields (values). + // Map of claims (keys) to be copied to specified metadata fields (values). + // +kubebuilder:validation:Optional + // +mapType=granular + ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"` + + // The amount of leeway to add to all claims to account for clock skew, in + // seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // Only applicable with "jwt" roles. + // The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + // +kubebuilder:validation:Optional + ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"` + + // Disable bound claim value parsing. Useful when values contain commas. + // +kubebuilder:validation:Optional + DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` + + // The amount of leeway to add to expiration (exp) claims to account for + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + // Only applicable with "jwt" roles. + // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + // +kubebuilder:validation:Optional + ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` + + // The claim to use to uniquely identify + // the set of groups to which the user belongs; this will be used as the names + // for the Identity group aliases created due to a successful login. The claim + // value must be a list of strings. + // The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. + // +kubebuilder:validation:Optional + GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"` + + // Specifies the allowable elapsed time in seconds since the last time + // the user was actively authenticated with the OIDC provider. + // Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. + // +kubebuilder:validation:Optional + MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"` + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + // +kubebuilder:validation:Optional + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + // The amount of leeway to add to not before (nbf) claims to account for + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + // Only applicable with "jwt" roles. + // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + // +kubebuilder:validation:Optional + NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"` + + // If set, a list of OIDC scopes to be used with an OIDC role. + // The standard scope "openid" is automatically included and need not be specified. + // List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + // +kubebuilder:validation:Optional + // +listType=set + OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"` + + // The name of the role. + // Name of the role. + // +kubebuilder:validation:Optional + RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` + + // Type of role, either "oidc" (default) or "jwt". + // Type of role, either "oidc" (default) or "jwt" + // +kubebuilder:validation:Optional + RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"` + + // List of CIDR blocks; if set, specifies blocks of IP + // addresses which can authenticate successfully, and ties the resulting token to these blocks + // as well. + // Specifies the blocks of IP addresses which are allowed to use the generated token + // +kubebuilder:validation:Optional + // +listType=set + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // If set, will encode an + // explicit max TTL + // onto the token in number of seconds. This is a hard cap even if token_ttl and + // token_max_ttl would otherwise allow a renewal. + // Generated Token's Explicit Maximum TTL in seconds + // +kubebuilder:validation:Optional + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The maximum lifetime of the generated token + // +kubebuilder:validation:Optional + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If set, the default policy will not be set on + // generated tokens; otherwise it will be added to the policies set in token_policies. + // If true, the 'default' policy will not automatically be added to generated tokens + // +kubebuilder:validation:Optional + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number + // of times a generated token may be used (within its lifetime); 0 means unlimited. + // The maximum number of times a token may be used, a value of zero means unlimited + // +kubebuilder:validation:Optional + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // If set, indicates that the + // token generated using this role should never expire. The token should be renewed within the + // duration specified by this value. At each renewal, the token's TTL will be set to the + // value of this field. Specified in seconds. + // Generated Token's Period + // +kubebuilder:validation:Optional + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // List of policies to encode onto generated tokens. Depending + // on the auth method, this list may be supplemented by user/group/other values. + // Generated Token's Policies + // +kubebuilder:validation:Optional + // +listType=set + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + + // The incremental lifetime for generated tokens in number of seconds. + // Its current value will be referenced at renewal time. + // The initial ttl of the token to generate in seconds + // +kubebuilder:validation:Optional + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token that should be generated. Can be service, + // batch, or default to use the mount's tuned default (which unless changed will be + // service tokens). For token store roles, there are two additional possibilities: + // default-service and default-batch which specify the type to return unless the client + // requests a different type at generation time. + // The type of token to generate, service or batch + // +kubebuilder:validation:Optional + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` + + // The claim to use to uniquely identify + // the user; this will be used as the name for the Identity entity alias created + // due to a successful login. + // The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. + // +kubebuilder:validation:Optional + UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"` + + // Specifies if the user_claim value uses + // JSON pointer + // syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + // Requires Vault 1.11+. + // Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + // +kubebuilder:validation:Optional + UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"` + + // Log received OIDC tokens and claims when debug-level + // logging is active. Not recommended in production since sensitive information may be present + // in OIDC responses. + // Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. + // +kubebuilder:validation:Optional + VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"` +} + +// AuthBackendRoleSpec defines the desired state of AuthBackendRole +type AuthBackendRoleSpec struct { + v1.ResourceSpec `json:",inline"` + ForProvider AuthBackendRoleParameters `json:"forProvider"` + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. + // InitProvider holds the same fields as ForProvider, with the exception + // of Identifier and other resource reference fields. The fields that are + // in InitProvider are merged into ForProvider when the resource is created. + // The same fields are also added to the terraform ignore_changes hook, to + // avoid updating them after creation. This is useful for fields that are + // required on creation, but we do not desire to update them after creation, + // for example because of an external controller is managing them, like an + // autoscaler. + InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"` +} + +// AuthBackendRoleStatus defines the observed state of AuthBackendRole. +type AuthBackendRoleStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider AuthBackendRoleObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion + +// AuthBackendRole is the Schema for the AuthBackendRoles API. Manages JWT/OIDC auth backend roles in Vault. +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} +type AuthBackendRole struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || (has(self.initProvider) && has(self.initProvider.roleName))",message="spec.forProvider.roleName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.userClaim) || (has(self.initProvider) && has(self.initProvider.userClaim))",message="spec.forProvider.userClaim is a required parameter" + Spec AuthBackendRoleSpec `json:"spec"` + Status AuthBackendRoleStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// AuthBackendRoleList contains a list of AuthBackendRoles +type AuthBackendRoleList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []AuthBackendRole `json:"items"` +} + +// Repository type metadata. +var ( + AuthBackendRole_Kind = "AuthBackendRole" + AuthBackendRole_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: AuthBackendRole_Kind}.String() + AuthBackendRole_KindAPIVersion = AuthBackendRole_Kind + "." + CRDGroupVersion.String() + AuthBackendRole_GroupVersionKind = CRDGroupVersion.WithKind(AuthBackendRole_Kind) +) + +func init() { + SchemeBuilder.Register(&AuthBackendRole{}, &AuthBackendRoleList{}) +} diff --git a/apis/jwt/v1alpha1/zz_generated.conversion_hubs.go b/apis/jwt/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 0000000..ee67874 --- /dev/null +++ b/apis/jwt/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} diff --git a/apis/jwt/v1alpha1/zz_generated.deepcopy.go b/apis/jwt/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 0000000..d96299a --- /dev/null +++ b/apis/jwt/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,748 @@ +//go:build !ignore_autogenerated + +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRole) DeepCopyInto(out *AuthBackendRole) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRole. +func (in *AuthBackendRole) DeepCopy() *AuthBackendRole { + if in == nil { + return nil + } + out := new(AuthBackendRole) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AuthBackendRole) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) { + *out = *in + if in.AllowedRedirectUris != nil { + in, out := &in.AllowedRedirectUris, &out.AllowedRedirectUris + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.Backend != nil { + in, out := &in.Backend, &out.Backend + *out = new(string) + **out = **in + } + if in.BoundAudiences != nil { + in, out := &in.BoundAudiences, &out.BoundAudiences + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundClaims != nil { + in, out := &in.BoundClaims, &out.BoundClaims + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.BoundClaimsType != nil { + in, out := &in.BoundClaimsType, &out.BoundClaimsType + *out = new(string) + **out = **in + } + if in.BoundSubject != nil { + in, out := &in.BoundSubject, &out.BoundSubject + *out = new(string) + **out = **in + } + if in.ClaimMappings != nil { + in, out := &in.ClaimMappings, &out.ClaimMappings + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.ClockSkewLeeway != nil { + in, out := &in.ClockSkewLeeway, &out.ClockSkewLeeway + *out = new(float64) + **out = **in + } + if in.DisableBoundClaimsParsing != nil { + in, out := &in.DisableBoundClaimsParsing, &out.DisableBoundClaimsParsing + *out = new(bool) + **out = **in + } + if in.ExpirationLeeway != nil { + in, out := &in.ExpirationLeeway, &out.ExpirationLeeway + *out = new(float64) + **out = **in + } + if in.GroupsClaim != nil { + in, out := &in.GroupsClaim, &out.GroupsClaim + *out = new(string) + **out = **in + } + if in.MaxAge != nil { + in, out := &in.MaxAge, &out.MaxAge + *out = new(float64) + **out = **in + } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } + if in.NotBeforeLeeway != nil { + in, out := &in.NotBeforeLeeway, &out.NotBeforeLeeway + *out = new(float64) + **out = **in + } + if in.OidcScopes != nil { + in, out := &in.OidcScopes, &out.OidcScopes + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.RoleName != nil { + in, out := &in.RoleName, &out.RoleName + *out = new(string) + **out = **in + } + if in.RoleType != nil { + in, out := &in.RoleType, &out.RoleType + *out = new(string) + **out = **in + } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } + if in.UserClaim != nil { + in, out := &in.UserClaim, &out.UserClaim + *out = new(string) + **out = **in + } + if in.UserClaimJSONPointer != nil { + in, out := &in.UserClaimJSONPointer, &out.UserClaimJSONPointer + *out = new(bool) + **out = **in + } + if in.VerboseOidcLogging != nil { + in, out := &in.VerboseOidcLogging, &out.VerboseOidcLogging + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters. +func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters { + if in == nil { + return nil + } + out := new(AuthBackendRoleInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]AuthBackendRole, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleList. +func (in *AuthBackendRoleList) DeepCopy() *AuthBackendRoleList { + if in == nil { + return nil + } + out := new(AuthBackendRoleList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AuthBackendRoleList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleObservation) DeepCopyInto(out *AuthBackendRoleObservation) { + *out = *in + if in.AllowedRedirectUris != nil { + in, out := &in.AllowedRedirectUris, &out.AllowedRedirectUris + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.Backend != nil { + in, out := &in.Backend, &out.Backend + *out = new(string) + **out = **in + } + if in.BoundAudiences != nil { + in, out := &in.BoundAudiences, &out.BoundAudiences + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundClaims != nil { + in, out := &in.BoundClaims, &out.BoundClaims + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.BoundClaimsType != nil { + in, out := &in.BoundClaimsType, &out.BoundClaimsType + *out = new(string) + **out = **in + } + if in.BoundSubject != nil { + in, out := &in.BoundSubject, &out.BoundSubject + *out = new(string) + **out = **in + } + if in.ClaimMappings != nil { + in, out := &in.ClaimMappings, &out.ClaimMappings + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.ClockSkewLeeway != nil { + in, out := &in.ClockSkewLeeway, &out.ClockSkewLeeway + *out = new(float64) + **out = **in + } + if in.DisableBoundClaimsParsing != nil { + in, out := &in.DisableBoundClaimsParsing, &out.DisableBoundClaimsParsing + *out = new(bool) + **out = **in + } + if in.ExpirationLeeway != nil { + in, out := &in.ExpirationLeeway, &out.ExpirationLeeway + *out = new(float64) + **out = **in + } + if in.GroupsClaim != nil { + in, out := &in.GroupsClaim, &out.GroupsClaim + *out = new(string) + **out = **in + } + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } + if in.MaxAge != nil { + in, out := &in.MaxAge, &out.MaxAge + *out = new(float64) + **out = **in + } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } + if in.NotBeforeLeeway != nil { + in, out := &in.NotBeforeLeeway, &out.NotBeforeLeeway + *out = new(float64) + **out = **in + } + if in.OidcScopes != nil { + in, out := &in.OidcScopes, &out.OidcScopes + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.RoleName != nil { + in, out := &in.RoleName, &out.RoleName + *out = new(string) + **out = **in + } + if in.RoleType != nil { + in, out := &in.RoleType, &out.RoleType + *out = new(string) + **out = **in + } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } + if in.UserClaim != nil { + in, out := &in.UserClaim, &out.UserClaim + *out = new(string) + **out = **in + } + if in.UserClaimJSONPointer != nil { + in, out := &in.UserClaimJSONPointer, &out.UserClaimJSONPointer + *out = new(bool) + **out = **in + } + if in.VerboseOidcLogging != nil { + in, out := &in.VerboseOidcLogging, &out.VerboseOidcLogging + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleObservation. +func (in *AuthBackendRoleObservation) DeepCopy() *AuthBackendRoleObservation { + if in == nil { + return nil + } + out := new(AuthBackendRoleObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters) { + *out = *in + if in.AllowedRedirectUris != nil { + in, out := &in.AllowedRedirectUris, &out.AllowedRedirectUris + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.Backend != nil { + in, out := &in.Backend, &out.Backend + *out = new(string) + **out = **in + } + if in.BoundAudiences != nil { + in, out := &in.BoundAudiences, &out.BoundAudiences + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.BoundClaims != nil { + in, out := &in.BoundClaims, &out.BoundClaims + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.BoundClaimsType != nil { + in, out := &in.BoundClaimsType, &out.BoundClaimsType + *out = new(string) + **out = **in + } + if in.BoundSubject != nil { + in, out := &in.BoundSubject, &out.BoundSubject + *out = new(string) + **out = **in + } + if in.ClaimMappings != nil { + in, out := &in.ClaimMappings, &out.ClaimMappings + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.ClockSkewLeeway != nil { + in, out := &in.ClockSkewLeeway, &out.ClockSkewLeeway + *out = new(float64) + **out = **in + } + if in.DisableBoundClaimsParsing != nil { + in, out := &in.DisableBoundClaimsParsing, &out.DisableBoundClaimsParsing + *out = new(bool) + **out = **in + } + if in.ExpirationLeeway != nil { + in, out := &in.ExpirationLeeway, &out.ExpirationLeeway + *out = new(float64) + **out = **in + } + if in.GroupsClaim != nil { + in, out := &in.GroupsClaim, &out.GroupsClaim + *out = new(string) + **out = **in + } + if in.MaxAge != nil { + in, out := &in.MaxAge, &out.MaxAge + *out = new(float64) + **out = **in + } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } + if in.NotBeforeLeeway != nil { + in, out := &in.NotBeforeLeeway, &out.NotBeforeLeeway + *out = new(float64) + **out = **in + } + if in.OidcScopes != nil { + in, out := &in.OidcScopes, &out.OidcScopes + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.RoleName != nil { + in, out := &in.RoleName, &out.RoleName + *out = new(string) + **out = **in + } + if in.RoleType != nil { + in, out := &in.RoleType, &out.RoleType + *out = new(string) + **out = **in + } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } + if in.UserClaim != nil { + in, out := &in.UserClaim, &out.UserClaim + *out = new(string) + **out = **in + } + if in.UserClaimJSONPointer != nil { + in, out := &in.UserClaimJSONPointer, &out.UserClaimJSONPointer + *out = new(bool) + **out = **in + } + if in.VerboseOidcLogging != nil { + in, out := &in.VerboseOidcLogging, &out.VerboseOidcLogging + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleParameters. +func (in *AuthBackendRoleParameters) DeepCopy() *AuthBackendRoleParameters { + if in == nil { + return nil + } + out := new(AuthBackendRoleParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) + in.InitProvider.DeepCopyInto(&out.InitProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec. +func (in *AuthBackendRoleSpec) DeepCopy() *AuthBackendRoleSpec { + if in == nil { + return nil + } + out := new(AuthBackendRoleSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthBackendRoleStatus) DeepCopyInto(out *AuthBackendRoleStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleStatus. +func (in *AuthBackendRoleStatus) DeepCopy() *AuthBackendRoleStatus { + if in == nil { + return nil + } + out := new(AuthBackendRoleStatus) + in.DeepCopyInto(out) + return out +} diff --git a/apis/jwt/v1alpha1/zz_generated.managed.go b/apis/jwt/v1alpha1/zz_generated.managed.go new file mode 100644 index 0000000..e2e30b5 --- /dev/null +++ b/apis/jwt/v1alpha1/zz_generated.managed.go @@ -0,0 +1,68 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + +// GetCondition of this AuthBackendRole. +func (mg *AuthBackendRole) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this AuthBackendRole. +func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetManagementPolicies of this AuthBackendRole. +func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies { + return mg.Spec.ManagementPolicies +} + +// GetProviderConfigReference of this AuthBackendRole. +func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +// GetPublishConnectionDetailsTo of this AuthBackendRole. +func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this AuthBackendRole. +func (mg *AuthBackendRole) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this AuthBackendRole. +func (mg *AuthBackendRole) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this AuthBackendRole. +func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetManagementPolicies of this AuthBackendRole. +func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) { + mg.Spec.ManagementPolicies = r +} + +// SetProviderConfigReference of this AuthBackendRole. +func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +// SetPublishConnectionDetailsTo of this AuthBackendRole. +func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this AuthBackendRole. +func (mg *AuthBackendRole) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} diff --git a/apis/jwt/v1alpha1/zz_generated.managedlist.go b/apis/jwt/v1alpha1/zz_generated.managedlist.go new file mode 100644 index 0000000..50919b3 --- /dev/null +++ b/apis/jwt/v1alpha1/zz_generated.managedlist.go @@ -0,0 +1,17 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import resource "github.com/crossplane/crossplane-runtime/pkg/resource" + +// GetItems of this AuthBackendRoleList. +func (l *AuthBackendRoleList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} diff --git a/apis/jwt/v1alpha1/zz_groupversion_info.go b/apis/jwt/v1alpha1/zz_groupversion_info.go new file mode 100755 index 0000000..c9d52a5 --- /dev/null +++ b/apis/jwt/v1alpha1/zz_groupversion_info.go @@ -0,0 +1,32 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +// +kubebuilder:object:generate=true +// +groupName=jwt.vault.upbound.io +// +versionName=v1alpha1 +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +// Package type metadata. +const ( + CRDGroup = "jwt.vault.upbound.io" + CRDVersion = "v1alpha1" +) + +var ( + // CRDGroupVersion is the API Group Version used to register the objects + CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) diff --git a/apis/vault/v1alpha1/zz_generated.conversion_hubs.go b/apis/vault/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 0000000..8de3d5b --- /dev/null +++ b/apis/vault/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Policy) Hub() {} diff --git a/apis/vault/v1alpha1/zz_generated.deepcopy.go b/apis/vault/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 0000000..ff0515e --- /dev/null +++ b/apis/vault/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,187 @@ +//go:build !ignore_autogenerated + +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Policy) DeepCopyInto(out *Policy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. +func (in *Policy) DeepCopy() *Policy { + if in == nil { + return nil + } + out := new(Policy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *Policy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyInitParameters) DeepCopyInto(out *PolicyInitParameters) { + *out = *in + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyInitParameters. +func (in *PolicyInitParameters) DeepCopy() *PolicyInitParameters { + if in == nil { + return nil + } + out := new(PolicyInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyList) DeepCopyInto(out *PolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]Policy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList. +func (in *PolicyList) DeepCopy() *PolicyList { + if in == nil { + return nil + } + out := new(PolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) { + *out = *in + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyObservation. +func (in *PolicyObservation) DeepCopy() *PolicyObservation { + if in == nil { + return nil + } + out := new(PolicyObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyParameters) DeepCopyInto(out *PolicyParameters) { + *out = *in + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyParameters. +func (in *PolicyParameters) DeepCopy() *PolicyParameters { + if in == nil { + return nil + } + out := new(PolicyParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicySpec) DeepCopyInto(out *PolicySpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) + in.InitProvider.DeepCopyInto(&out.InitProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec. +func (in *PolicySpec) DeepCopy() *PolicySpec { + if in == nil { + return nil + } + out := new(PolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus. +func (in *PolicyStatus) DeepCopy() *PolicyStatus { + if in == nil { + return nil + } + out := new(PolicyStatus) + in.DeepCopyInto(out) + return out +} diff --git a/apis/vault/v1alpha1/zz_generated.managed.go b/apis/vault/v1alpha1/zz_generated.managed.go new file mode 100644 index 0000000..4bca39f --- /dev/null +++ b/apis/vault/v1alpha1/zz_generated.managed.go @@ -0,0 +1,68 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + +// GetCondition of this Policy. +func (mg *Policy) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this Policy. +func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetManagementPolicies of this Policy. +func (mg *Policy) GetManagementPolicies() xpv1.ManagementPolicies { + return mg.Spec.ManagementPolicies +} + +// GetProviderConfigReference of this Policy. +func (mg *Policy) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +// GetPublishConnectionDetailsTo of this Policy. +func (mg *Policy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this Policy. +func (mg *Policy) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this Policy. +func (mg *Policy) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this Policy. +func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetManagementPolicies of this Policy. +func (mg *Policy) SetManagementPolicies(r xpv1.ManagementPolicies) { + mg.Spec.ManagementPolicies = r +} + +// SetProviderConfigReference of this Policy. +func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +// SetPublishConnectionDetailsTo of this Policy. +func (mg *Policy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this Policy. +func (mg *Policy) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} diff --git a/apis/vault/v1alpha1/zz_generated.managedlist.go b/apis/vault/v1alpha1/zz_generated.managedlist.go new file mode 100644 index 0000000..8ad7932 --- /dev/null +++ b/apis/vault/v1alpha1/zz_generated.managedlist.go @@ -0,0 +1,17 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import resource "github.com/crossplane/crossplane-runtime/pkg/resource" + +// GetItems of this PolicyList. +func (l *PolicyList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} diff --git a/apis/vault/v1alpha1/zz_groupversion_info.go b/apis/vault/v1alpha1/zz_groupversion_info.go new file mode 100755 index 0000000..3f0e673 --- /dev/null +++ b/apis/vault/v1alpha1/zz_groupversion_info.go @@ -0,0 +1,32 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +// +kubebuilder:object:generate=true +// +groupName=vault.vault.upbound.io +// +versionName=v1alpha1 +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +// Package type metadata. +const ( + CRDGroup = "vault.vault.upbound.io" + CRDVersion = "v1alpha1" +) + +var ( + // CRDGroupVersion is the API Group Version used to register the objects + CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) diff --git a/apis/vault/v1alpha1/zz_policy_terraformed.go b/apis/vault/v1alpha1/zz_policy_terraformed.go new file mode 100755 index 0000000..51b916e --- /dev/null +++ b/apis/vault/v1alpha1/zz_policy_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Policy +func (mg *Policy) GetTerraformResourceType() string { + return "vault_policy" +} + +// GetConnectionDetailsMapping for this Policy +func (tr *Policy) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Policy +func (tr *Policy) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Policy +func (tr *Policy) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Policy +func (tr *Policy) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Policy +func (tr *Policy) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Policy +func (tr *Policy) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Policy +func (tr *Policy) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Policy +func (tr *Policy) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Policy using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Policy) LateInitialize(attrs []byte) (bool, error) { + params := &PolicyParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Policy) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/vault/v1alpha1/zz_policy_types.go b/apis/vault/v1alpha1/zz_policy_types.go new file mode 100755 index 0000000..2322aad --- /dev/null +++ b/apis/vault/v1alpha1/zz_policy_types.go @@ -0,0 +1,121 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/apis/common/v1" +) + +type PolicyInitParameters struct { + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + // String containing a Vault policy + // The policy document + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` +} + +type PolicyObservation struct { + ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + // String containing a Vault policy + // The policy document + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` +} + +type PolicyParameters struct { + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + // +kubebuilder:validation:Optional + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + // String containing a Vault policy + // The policy document + // +kubebuilder:validation:Optional + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` +} + +// PolicySpec defines the desired state of Policy +type PolicySpec struct { + v1.ResourceSpec `json:",inline"` + ForProvider PolicyParameters `json:"forProvider"` + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. + // InitProvider holds the same fields as ForProvider, with the exception + // of Identifier and other resource reference fields. The fields that are + // in InitProvider are merged into ForProvider when the resource is created. + // The same fields are also added to the terraform ignore_changes hook, to + // avoid updating them after creation. This is useful for fields that are + // required on creation, but we do not desire to update them after creation, + // for example because of an external controller is managing them, like an + // autoscaler. + InitProvider PolicyInitParameters `json:"initProvider,omitempty"` +} + +// PolicyStatus defines the observed state of Policy. +type PolicyStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider PolicyObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion + +// Policy is the Schema for the Policys API. Writes arbitrary policies for Vault +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} +type Policy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || (has(self.initProvider) && has(self.initProvider.policy))",message="spec.forProvider.policy is a required parameter" + Spec PolicySpec `json:"spec"` + Status PolicyStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// PolicyList contains a list of Policys +type PolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []Policy `json:"items"` +} + +// Repository type metadata. +var ( + Policy_Kind = "Policy" + Policy_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: Policy_Kind}.String() + Policy_KindAPIVersion = Policy_Kind + "." + CRDGroupVersion.String() + Policy_GroupVersionKind = CRDGroupVersion.WithKind(Policy_Kind) +) + +func init() { + SchemeBuilder.Register(&Policy{}, &PolicyList{}) +} diff --git a/apis/zz_register.go b/apis/zz_register.go index d7d16a4..e53da02 100755 --- a/apis/zz_register.go +++ b/apis/zz_register.go @@ -10,19 +10,25 @@ package apis import ( "k8s.io/apimachinery/pkg/runtime" - v1alpha1 "github.com/topfreegames/upjet-provider-vault/apis/identitygroup/v1alpha1" + v1alpha1 "github.com/topfreegames/upjet-provider-vault/apis/aws/v1alpha1" + v1alpha1identitygroup "github.com/topfreegames/upjet-provider-vault/apis/identitygroup/v1alpha1" + v1alpha1jwt "github.com/topfreegames/upjet-provider-vault/apis/jwt/v1alpha1" v1alpha1kubernetesauthbackendrole "github.com/topfreegames/upjet-provider-vault/apis/kubernetesauthbackendrole/v1alpha1" v1alpha1apis "github.com/topfreegames/upjet-provider-vault/apis/v1alpha1" v1beta1 "github.com/topfreegames/upjet-provider-vault/apis/v1beta1" + v1alpha1vault "github.com/topfreegames/upjet-provider-vault/apis/vault/v1alpha1" ) func init() { // Register the types with the Scheme so the components can map objects to GroupVersionKinds and back AddToSchemes = append(AddToSchemes, v1alpha1.SchemeBuilder.AddToScheme, + v1alpha1identitygroup.SchemeBuilder.AddToScheme, + v1alpha1jwt.SchemeBuilder.AddToScheme, v1alpha1kubernetesauthbackendrole.SchemeBuilder.AddToScheme, v1alpha1apis.SchemeBuilder.AddToScheme, v1beta1.SchemeBuilder.AddToScheme, + v1alpha1vault.SchemeBuilder.AddToScheme, ) } diff --git a/cmd/provider/main.go b/cmd/provider/main.go index be3c90f..d4744db 100644 --- a/cmd/provider/main.go +++ b/cmd/provider/main.go @@ -12,6 +12,7 @@ import ( "time" xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/certificates" xpcontroller "github.com/crossplane/crossplane-runtime/pkg/controller" "github.com/crossplane/crossplane-runtime/pkg/logging" "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" @@ -49,6 +50,8 @@ func main() { namespace = app.Flag("namespace", "Namespace used to set as default scope in default secret store config.").Default("crossplane-system").Envar("POD_NAMESPACE").String() enableExternalSecretStores = app.Flag("enable-external-secret-stores", "Enable support for ExternalSecretStores.").Default("false").Envar("ENABLE_EXTERNAL_SECRET_STORES").Bool() + enableManagementPolicies = app.Flag("enable-management-policies", "Enable support for Management Policies.").Default("true").Envar("ENABLE_MANAGEMENT_POLICIES").Bool() + essTLSCertsPath = app.Flag("ess-tls-cert-dir", "Path of ESS TLS certificates.").Envar("ESS_TLS_CERTS_DIR").String() ) kingpin.MustParse(app.Parse(os.Args[1:])) @@ -99,9 +102,17 @@ func main() { } if *enableExternalSecretStores { + o.Features.Enable(features.EnableAlphaExternalSecretStores) o.SecretStoreConfigGVK = &v1alpha1.StoreConfigGroupVersionKind log.Info("Alpha feature enabled", "flag", features.EnableAlphaExternalSecretStores) + o.ESSOptions = &tjcontroller.ESSOptions{} + if *essTLSCertsPath != "" { + log.Info("ESS TLS certificates path is set. Loading mTLS configuration.") + tCfg, err := certificates.LoadMTLSConfig(filepath.Join(*essTLSCertsPath, "ca.crt"), filepath.Join(*essTLSCertsPath, "tls.crt"), filepath.Join(*essTLSCertsPath, "tls.key"), false) + kingpin.FatalIfError(err, "Cannot load ESS TLS config.") + o.ESSOptions.TLSConfig = tCfg + } // Ensure default store config exists. kingpin.FatalIfError(resource.Ignore(kerrors.IsAlreadyExists, mgr.GetClient().Create(context.Background(), &v1alpha1.StoreConfig{ ObjectMeta: metav1.ObjectMeta{ @@ -117,6 +128,11 @@ func main() { })), "cannot create default store config") } + if *enableManagementPolicies { + o.Features.Enable(features.EnableBetaManagementPolicies) + log.Info("Beta feature enabled", "flag", features.EnableBetaManagementPolicies) + } + kingpin.FatalIfError(controller.Setup(mgr, o), "Cannot setup Vault controllers") kingpin.FatalIfError(mgr.Start(ctrl.SetupSignalHandler()), "Cannot start controller manager") } diff --git a/config/external_name.go b/config/external_name.go index 884f4ec..d16cce1 100644 --- a/config/external_name.go +++ b/config/external_name.go @@ -12,6 +12,9 @@ var ExternalNameConfigs = map[string]config.ExternalName{ // Import requires using a randomly generated ID from provider: nl-2e21sda "vault_kubernetes_auth_backend_role": config.NameAsIdentifier, "vault_identity_group": config.NameAsIdentifier, + "vault_jwt_auth_backend_role": config.NameAsIdentifier, + "vault_aws_auth_backend_role": config.NameAsIdentifier, + "vault_policy": config.NameAsIdentifier, } // ExternalNameConfigurations applies all external name configs listed in the diff --git a/examples-generated/aws/v1alpha1/authbackendrole.yaml b/examples-generated/aws/v1alpha1/authbackendrole.yaml new file mode 100644 index 0000000..622b8a9 --- /dev/null +++ b/examples-generated/aws/v1alpha1/authbackendrole.yaml @@ -0,0 +1,33 @@ +apiVersion: aws.vault.upbound.io/v1alpha1 +kind: AuthBackendRole +metadata: + annotations: + meta.upbound.io/example-id: aws/v1alpha1/authbackendrole + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + authType: iam + backend: ${vault_auth_backend.aws.path} + boundAccountIds: + - "123456789012" + boundAmiIds: + - ami-8c1be5f6 + boundIamInstanceProfileArns: + - arn:aws:iam::123456789012:instance-profile/MyProfile + boundIamRoleArns: + - arn:aws:iam::123456789012:role/MyRole + boundSubnetIds: + - vpc-133128f1 + boundVpcIds: + - vpc-b61106d4 + inferredAwsRegion: us-east-1 + inferredEntityType: ec2_instance + role: test-role + tokenMaxTtl: 120 + tokenPolicies: + - default + - dev + - prod + tokenTtl: 60 diff --git a/examples-generated/jwt/v1alpha1/authbackendrole.yaml b/examples-generated/jwt/v1alpha1/authbackendrole.yaml new file mode 100644 index 0000000..09c8572 --- /dev/null +++ b/examples-generated/jwt/v1alpha1/authbackendrole.yaml @@ -0,0 +1,22 @@ +apiVersion: jwt.vault.upbound.io/v1alpha1 +kind: AuthBackendRole +metadata: + annotations: + meta.upbound.io/example-id: jwt/v1alpha1/authbackendrole + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + backend: ${vault_jwt_auth_backend.jwt.path} + boundAudiences: + - https://myco.test + boundClaims: + color: red,green,blue + roleName: test-role + roleType: jwt + tokenPolicies: + - default + - dev + - prod + userClaim: https://vault/user diff --git a/examples-generated/vault/v1alpha1/policy.yaml b/examples-generated/vault/v1alpha1/policy.yaml new file mode 100644 index 0000000..98ae40a --- /dev/null +++ b/examples-generated/vault/v1alpha1/policy.yaml @@ -0,0 +1,14 @@ +apiVersion: vault.vault.upbound.io/v1alpha1 +kind: Policy +metadata: + annotations: + meta.upbound.io/example-id: vault/v1alpha1/policy + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + policy: | + path "secret/my_app" { + capabilities = ["update"] + } diff --git a/go.mod b/go.mod index 36744c9..3f71c01 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,8 @@ module github.com/topfreegames/upjet-provider-vault -go 1.22 +go 1.22.0 -toolchain go1.22.3 +toolchain go1.22.5 require ( dario.cat/mergo v1.0.0 @@ -13,7 +13,7 @@ require ( gopkg.in/alecthomas/kingpin.v2 v2.2.6 k8s.io/apimachinery v0.29.2 k8s.io/client-go v0.29.2 - sigs.k8s.io/controller-runtime v0.17.5 + sigs.k8s.io/controller-runtime v0.17.6 sigs.k8s.io/controller-tools v0.14.0 ) @@ -27,31 +27,31 @@ require ( github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/dave/jennifer v1.7.0 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect - github.com/evanphx/json-patch v5.6.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.8.0 // indirect + github.com/evanphx/json-patch v5.9.0+incompatible // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fatih/camelcase v1.0.0 // indirect - github.com/fatih/color v1.16.0 // indirect + github.com/fatih/color v1.17.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect - github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect - github.com/go-openapi/swag v0.22.3 // indirect - github.com/gobuffalo/flect v1.0.2 // indirect + github.com/go-openapi/swag v0.22.4 // indirect + github.com/gobuffalo/flect v1.0.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/mock v1.6.0 // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.4.0 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 // indirect - github.com/hashicorp/go-hclog v1.5.0 // indirect + github.com/hashicorp/go-hclog v1.6.3 // indirect github.com/hashicorp/go-plugin v1.5.1 // indirect github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/hashicorp/go-version v1.6.0 // indirect @@ -73,7 +73,6 @@ require ( github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect - github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-ps v1.0.0 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect @@ -85,12 +84,12 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/muvaf/typewriter v0.0.0-20220131201631-921e94e8e8d7 // indirect github.com/oklog/run v1.0.0 // indirect - github.com/prometheus/client_golang v1.18.0 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.45.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect + github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect github.com/spf13/afero v1.11.0 // indirect - github.com/spf13/cobra v1.8.0 // indirect + github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/tmccombs/hcl2json v0.3.3 // indirect github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect @@ -101,30 +100,31 @@ require ( github.com/zclconf/go-cty v1.14.1 // indirect github.com/zclconf/go-cty-yaml v1.0.3 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.26.0 // indirect - golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect - golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.23.0 // indirect - golang.org/x/oauth2 v0.15.0 // indirect - golang.org/x/sys v0.18.0 // indirect - golang.org/x/term v0.18.0 // indirect - golang.org/x/text v0.14.0 // indirect + go.uber.org/zap v1.27.0 // indirect + golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect + golang.org/x/mod v0.21.0 // indirect + golang.org/x/net v0.30.0 // indirect + golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/term v0.25.0 // indirect + golang.org/x/text v0.19.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.17.0 // indirect + golang.org/x/tools v0.26.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect - google.golang.org/grpc v1.61.0 // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/grpc v1.65.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/api v0.29.2 // indirect k8s.io/apiextensions-apiserver v0.29.2 // indirect k8s.io/component-base v0.29.2 // indirect - k8s.io/klog/v2 v2.110.1 // indirect - k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect - k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/go.sum b/go.sum index d6da665..d31b2af 100644 --- a/go.sum +++ b/go.sum @@ -26,9 +26,9 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bufbuild/protocompile v0.6.0 h1:Uu7WiSQ6Yj9DbkdnOe7U4mNKp58y9WDMKDn28/ZlunY= github.com/bufbuild/protocompile v0.6.0/go.mod h1:YNP35qEYoYGme7QMtz5SBCoN4kL4g12jTtjuzRNdjpE= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/crossplane/crossplane-runtime v1.16.0 h1:lz+l0wEB3qowdTmN7t0PZkfuNSvfOoEhQrEYFbYqMow= github.com/crossplane/crossplane-runtime v1.16.0/go.mod h1:Pz2tdGVMF6KDGzHZOkvKro0nKc8EzK0sb/nSA7pH4Dc= @@ -39,39 +39,40 @@ github.com/crossplane/upjet v1.4.1/go.mod h1:3pDVtCgyBc5f2Zx4K5HEPxxhjndmOc5CHCJ github.com/dave/jennifer v1.7.0 h1:uRbSBH9UTS64yXbh4FrMHfgfY762RD+C7bUPKODpSJE= github.com/dave/jennifer v1.7.0/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= -github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= -github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= +github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8= github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= -github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= -github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= +github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= -github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU= +github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= -github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA= -github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= +github.com/gobuffalo/flect v1.0.3 h1:xeWBM2nui+qnVvNM4S3foBhCAL2XgPU+a7FdpelbTq4= +github.com/gobuffalo/flect v1.0.3/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -84,8 +85,8 @@ github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/addlicense v0.0.0-20210428195630-6d92264d7170/go.mod h1:EMjYTRimagHs1FwlIqKyX3wAM0u3rA+McvlIIWmSamA= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= @@ -100,12 +101,12 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20240117000934-35fc243c5815 h1:WzfWbQz/Ze8v6l++GGbGNFZnUShVpP/0xffCPLL+ax8= github.com/google/pprof v0.0.0-20240117000934-35fc243c5815/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= -github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 h1:1/D3zfFHttUKaCaGKZ/dR2roBXv0vKbSCnssIldfQdI= github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320/go.mod h1:EiZBMaudVLy8fmjf9Npq1dq9RalhveqZG5w/yz3mHWs= -github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c= -github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= +github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-plugin v1.5.1 h1:oGm7cWBaYIp3lJpx1RUEfLWophprE2EV/KUeqBYo+6k= github.com/hashicorp/go-plugin v1.5.1/go.mod h1:w1sAEES3g3PuV/RzUrgow20W2uErMly84hhD3um1WL4= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= @@ -169,8 +170,6 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc= @@ -208,14 +207,14 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= -github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= -github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -223,8 +222,8 @@ github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= @@ -239,8 +238,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tmccombs/hcl2json v0.3.3 h1:+DLNYqpWE0CsOQiEZu+OZm5ZBImake3wtITYxQ8uLFQ= github.com/tmccombs/hcl2json v0.3.3/go.mod h1:Y2chtz2x9bAeRTvSibVRVgbLJhLJXKlUeIvjeVdnm4w= github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= @@ -271,21 +270,21 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= -go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o= -golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= +golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY= +golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= +golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= @@ -297,18 +296,18 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ= -golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -328,20 +327,20 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= -golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= -golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -351,8 +350,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ= +golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -363,14 +362,14 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f h1:ultW7fxlIvee4HYrtnaRPon9HpEgFk5zYpmfMgtKB5I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f/go.mod h1:L9KNLi232K1/xB6f7AlSX692koaRnKaWSR0stBki0Yc= -google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0= -google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= +google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -398,14 +397,14 @@ k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg= k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA= k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8= k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM= -k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= -k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= -k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= -k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= -k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= -k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.17.5 h1:1FI9Lm7NiOOmBsgTV36/s2XrEFXnO2C4sbg/Zme72Rw= -sigs.k8s.io/controller-runtime v0.17.5/go.mod h1:N0jpP5Lo7lMTF9aL56Z/B2oWBJjey6StQM0jRbKQXtY= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.17.6 h1:12IXsozEsIXWAMRpgRlYS1jjAHQXHtWEOMdULh3DbEw= +sigs.k8s.io/controller-runtime v0.17.6/go.mod h1:N0jpP5Lo7lMTF9aL56Z/B2oWBJjey6StQM0jRbKQXtY= sigs.k8s.io/controller-tools v0.14.0 h1:rnNoCC5wSXlrNoBKKzL70LNJKIQKEzT6lloG6/LF73A= sigs.k8s.io/controller-tools v0.14.0/go.mod h1:TV7uOtNNnnR72SpzhStvPkoS/U5ir0nMudrkrC4M9Sc= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/internal/controller/aws/authbackendrole/zz_controller.go b/internal/controller/aws/authbackendrole/zz_controller.go new file mode 100755 index 0000000..57f2f2e --- /dev/null +++ b/internal/controller/aws/authbackendrole/zz_controller.go @@ -0,0 +1,88 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package authbackendrole + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/pkg/connection" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/terraform" + "github.com/pkg/errors" + ctrl "sigs.k8s.io/controller-runtime" + + v1alpha1 "github.com/topfreegames/upjet-provider-vault/apis/aws/v1alpha1" + features "github.com/topfreegames/upjet-provider-vault/internal/features" +) + +// Setup adds a controller that reconciles AuthBackendRole managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1alpha1.AuthBackendRole_GroupVersionKind.String()) + var initializers managed.InitializerChain + initializers = append(initializers, managed.NewNameAsExternalName(mgr.GetClient())) + cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())} + if o.SecretStoreConfigGVK != nil { + cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) + } + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler)) + opts := []managed.ReconcilerOption{ + managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(eventHandler), + tjcontroller.WithCallbackProvider(ac), + )), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3 * time.Minute), + managed.WithInitializers(initializers), + managed.WithConnectionPublishers(cps...), + managed.WithPollInterval(o.PollInterval), + } + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { + opts = append(opts, managed.WithManagementPolicies()) + } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + WithEventFilter(xpresource.DesiredStateChanged()). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/jwt/authbackendrole/zz_controller.go b/internal/controller/jwt/authbackendrole/zz_controller.go new file mode 100755 index 0000000..80f9ea8 --- /dev/null +++ b/internal/controller/jwt/authbackendrole/zz_controller.go @@ -0,0 +1,88 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package authbackendrole + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/pkg/connection" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/terraform" + "github.com/pkg/errors" + ctrl "sigs.k8s.io/controller-runtime" + + v1alpha1 "github.com/topfreegames/upjet-provider-vault/apis/jwt/v1alpha1" + features "github.com/topfreegames/upjet-provider-vault/internal/features" +) + +// Setup adds a controller that reconciles AuthBackendRole managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1alpha1.AuthBackendRole_GroupVersionKind.String()) + var initializers managed.InitializerChain + initializers = append(initializers, managed.NewNameAsExternalName(mgr.GetClient())) + cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())} + if o.SecretStoreConfigGVK != nil { + cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) + } + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler)) + opts := []managed.ReconcilerOption{ + managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_jwt_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(eventHandler), + tjcontroller.WithCallbackProvider(ac), + )), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3 * time.Minute), + managed.WithInitializers(initializers), + managed.WithConnectionPublishers(cps...), + managed.WithPollInterval(o.PollInterval), + } + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { + opts = append(opts, managed.WithManagementPolicies()) + } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + WithEventFilter(xpresource.DesiredStateChanged()). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/vault/policy/zz_controller.go b/internal/controller/vault/policy/zz_controller.go new file mode 100755 index 0000000..f380558 --- /dev/null +++ b/internal/controller/vault/policy/zz_controller.go @@ -0,0 +1,88 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package policy + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/pkg/connection" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/terraform" + "github.com/pkg/errors" + ctrl "sigs.k8s.io/controller-runtime" + + v1alpha1 "github.com/topfreegames/upjet-provider-vault/apis/vault/v1alpha1" + features "github.com/topfreegames/upjet-provider-vault/internal/features" +) + +// Setup adds a controller that reconciles Policy managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1alpha1.Policy_GroupVersionKind.String()) + var initializers managed.InitializerChain + initializers = append(initializers, managed.NewNameAsExternalName(mgr.GetClient())) + cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())} + if o.SecretStoreConfigGVK != nil { + cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) + } + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Policy_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler)) + opts := []managed.ReconcilerOption{ + managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_policy"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(eventHandler), + tjcontroller.WithCallbackProvider(ac), + )), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3 * time.Minute), + managed.WithInitializers(initializers), + managed.WithConnectionPublishers(cps...), + managed.WithPollInterval(o.PollInterval), + } + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { + opts = append(opts, managed.WithManagementPolicies()) + } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Policy + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Policy{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Policy") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.PolicyList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.PolicyList") + } + } + + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), opts...) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + WithEventFilter(xpresource.DesiredStateChanged()). + Watches(&v1alpha1.Policy{}, eventHandler). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/zz_setup.go b/internal/controller/zz_setup.go index cdbe1cd..178dcc6 100755 --- a/internal/controller/zz_setup.go +++ b/internal/controller/zz_setup.go @@ -9,18 +9,24 @@ import ( "github.com/crossplane/upjet/pkg/controller" + authbackendrole "github.com/topfreegames/upjet-provider-vault/internal/controller/aws/authbackendrole" group "github.com/topfreegames/upjet-provider-vault/internal/controller/identitygroup/group" - authbackendrole "github.com/topfreegames/upjet-provider-vault/internal/controller/kubernetesauthbackendrole/authbackendrole" + authbackendrolejwt "github.com/topfreegames/upjet-provider-vault/internal/controller/jwt/authbackendrole" + authbackendrolekubernetesauthbackendrole "github.com/topfreegames/upjet-provider-vault/internal/controller/kubernetesauthbackendrole/authbackendrole" providerconfig "github.com/topfreegames/upjet-provider-vault/internal/controller/providerconfig" + policy "github.com/topfreegames/upjet-provider-vault/internal/controller/vault/policy" ) // Setup creates all controllers with the supplied logger and adds them to // the supplied manager. func Setup(mgr ctrl.Manager, o controller.Options) error { for _, setup := range []func(ctrl.Manager, controller.Options) error{ - group.Setup, authbackendrole.Setup, + group.Setup, + authbackendrolejwt.Setup, + authbackendrolekubernetesauthbackendrole.Setup, providerconfig.Setup, + policy.Setup, } { if err := setup(mgr, o); err != nil { return err diff --git a/package/crds/aws.vault.upbound.io_authbackendroles.yaml b/package/crds/aws.vault.upbound.io_authbackendroles.yaml new file mode 100644 index 0000000..9e2c7ed --- /dev/null +++ b/package/crds/aws.vault.upbound.io_authbackendroles.yaml @@ -0,0 +1,1065 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: authbackendroles.aws.vault.upbound.io +spec: + group: aws.vault.upbound.io + names: + categories: + - crossplane + - managed + - vault + kind: AuthBackendRole + listKind: AuthBackendRoleList + plural: authbackendroles + singular: authbackendrole + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: AuthBackendRole is the Schema for the AuthBackendRoles API. Manages + AWS auth backend roles in Vault. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AuthBackendRoleSpec defines the desired state of AuthBackendRole + properties: + deletionPolicy: + default: Delete + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + enum: + - Orphan + - Delete + type: string + forProvider: + properties: + allowInstanceMigration: + description: |- + If set to true, allows migration of + the underlying instance where the client resides. + When true, allows migration of the underlying instance where the client resides. Use with caution. + type: boolean + authType: + description: |- + The auth type permitted for this role. Valid choices + are ec2 and iam. Defaults to iam. + The auth type permitted for this role. + type: string + backend: + description: |- + Path to the mounted aws auth backend. + Unique name of the auth backend to configure. + type: string + boundAccountIds: + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they should be using the + account ID specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances with this account ID in their identity document will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundAmiIds: + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they should be using the AMI ID + specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances using this AMI ID will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundEc2InstanceIds: + description: Only EC2 instances that match this instance ID will + be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundIamInstanceProfileArns: + description: |- + If set, defines a constraint on + the EC2 instances that can perform the login operation that they must be + associated with an IAM instance profile ARN which has a prefix that matches + the value specified by this field. The value is prefix-matched as though it + were a glob ending in *. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundIamPrincipalArns: + description: |- + If set, defines the IAM principal that + must be authenticated when auth_type is set to iam. Wildcards are + supported at the end of the ARN. + The IAM principal that must be authenticated using the iam auth method. + items: + type: string + type: array + x-kubernetes-list-type: set + boundIamRoleArns: + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they must match the IAM + role ARN specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances that match this IAM role ARN will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundRegions: + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that the region in their identity + document must match the one specified by this field. auth_type must be set + to ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances in this region will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundSubnetIds: + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they be associated with + the subnet ID that matches the value specified by this field. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + Only EC2 instances associated with this subnet ID will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundVpcIds: + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they be associated with the VPC ID + that matches the value specified by this field. auth_type must be set to + ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances associated with this VPC ID will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + disallowReauthentication: + description: |- + IF set to true, only allows a + single token to be granted per instance ID. This can only be set when + auth_type is set to ec2. + When true, only allows a single token to be granted per instance ID. + type: boolean + inferredAwsRegion: + description: |- + When inferred_entity_type is set, this + is the region to search for the inferred entities. Required if + inferred_entity_type is set. This only applies when auth_type is set to + iam. + The region to search for the inferred entities in. + type: string + inferredEntityType: + description: |- + If set, instructs Vault to turn on + inferencing. The only valid value is ec2_instance, which instructs Vault to + infer that the role comes from an EC2 instance in an IAM instance profile. + This only applies when auth_type is set to iam. + The type of inferencing Vault should do. + type: string + namespace: + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + resolveAwsUniqueIds: + description: |- + Only valid when + auth_type is iam. If set to true, the bound_iam_principal_arns are + resolved to AWS Unique + IDs + for the bound principal ARN. This field is ignored when a + bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more + closely mimics the behavior of AWS services in that if an IAM user or role is + deleted and a new one is recreated with the same name, those new users or + roles won't get access to roles in Vault that were permissioned to the prior + principals of the same name. Defaults to true. + Once set to true, this cannot be changed to false without recreating the role. + Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. + type: boolean + role: + description: |- + The name of the role. + Name of the role. + type: string + roleTag: + description: |- + If set, enable role tags for this role. The value set + for this field should be the key of the tag on the EC2 instance. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + The key of the tag on EC2 instance to use for role tags. + type: string + tokenBoundCidrs: + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTtl: + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens + type: boolean + tokenNumUses: + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited + type: number + tokenPeriod: + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. + Generated Token's Period + type: number + tokenPolicies: + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies + items: + type: string + type: array + x-kubernetes-list-type: set + tokenTtl: + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds + type: number + tokenType: + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch + type: string + type: object + initProvider: + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. + properties: + allowInstanceMigration: + description: |- + If set to true, allows migration of + the underlying instance where the client resides. + When true, allows migration of the underlying instance where the client resides. Use with caution. + type: boolean + authType: + description: |- + The auth type permitted for this role. Valid choices + are ec2 and iam. Defaults to iam. + The auth type permitted for this role. + type: string + backend: + description: |- + Path to the mounted aws auth backend. + Unique name of the auth backend to configure. + type: string + boundAccountIds: + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they should be using the + account ID specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances with this account ID in their identity document will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundAmiIds: + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they should be using the AMI ID + specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances using this AMI ID will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundEc2InstanceIds: + description: Only EC2 instances that match this instance ID will + be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundIamInstanceProfileArns: + description: |- + If set, defines a constraint on + the EC2 instances that can perform the login operation that they must be + associated with an IAM instance profile ARN which has a prefix that matches + the value specified by this field. The value is prefix-matched as though it + were a glob ending in *. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundIamPrincipalArns: + description: |- + If set, defines the IAM principal that + must be authenticated when auth_type is set to iam. Wildcards are + supported at the end of the ARN. + The IAM principal that must be authenticated using the iam auth method. + items: + type: string + type: array + x-kubernetes-list-type: set + boundIamRoleArns: + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they must match the IAM + role ARN specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances that match this IAM role ARN will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundRegions: + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that the region in their identity + document must match the one specified by this field. auth_type must be set + to ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances in this region will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundSubnetIds: + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they be associated with + the subnet ID that matches the value specified by this field. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + Only EC2 instances associated with this subnet ID will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundVpcIds: + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they be associated with the VPC ID + that matches the value specified by this field. auth_type must be set to + ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances associated with this VPC ID will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + disallowReauthentication: + description: |- + IF set to true, only allows a + single token to be granted per instance ID. This can only be set when + auth_type is set to ec2. + When true, only allows a single token to be granted per instance ID. + type: boolean + inferredAwsRegion: + description: |- + When inferred_entity_type is set, this + is the region to search for the inferred entities. Required if + inferred_entity_type is set. This only applies when auth_type is set to + iam. + The region to search for the inferred entities in. + type: string + inferredEntityType: + description: |- + If set, instructs Vault to turn on + inferencing. The only valid value is ec2_instance, which instructs Vault to + infer that the role comes from an EC2 instance in an IAM instance profile. + This only applies when auth_type is set to iam. + The type of inferencing Vault should do. + type: string + namespace: + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + resolveAwsUniqueIds: + description: |- + Only valid when + auth_type is iam. If set to true, the bound_iam_principal_arns are + resolved to AWS Unique + IDs + for the bound principal ARN. This field is ignored when a + bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more + closely mimics the behavior of AWS services in that if an IAM user or role is + deleted and a new one is recreated with the same name, those new users or + roles won't get access to roles in Vault that were permissioned to the prior + principals of the same name. Defaults to true. + Once set to true, this cannot be changed to false without recreating the role. + Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. + type: boolean + role: + description: |- + The name of the role. + Name of the role. + type: string + roleTag: + description: |- + If set, enable role tags for this role. The value set + for this field should be the key of the tag on the EC2 instance. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + The key of the tag on EC2 instance to use for role tags. + type: string + tokenBoundCidrs: + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTtl: + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens + type: boolean + tokenNumUses: + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited + type: number + tokenPeriod: + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. + Generated Token's Period + type: number + tokenPolicies: + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies + items: + type: string + type: array + x-kubernetes-list-type: set + tokenTtl: + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds + type: number + tokenType: + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch + type: string + type: object + managementPolicies: + default: + - '*' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + items: + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. + enum: + - Observe + - Create + - Update + - Delete + - LateInitialize + - '*' + type: string + type: array + providerConfigRef: + default: + name: default + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. + type: object + type: + description: |- + Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + x-kubernetes-validations: + - message: spec.forProvider.role is a required parameter + rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies + || ''Update'' in self.managementPolicies) || has(self.forProvider.role) + || (has(self.initProvider) && has(self.initProvider.role))' + status: + description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. + properties: + atProvider: + properties: + allowInstanceMigration: + description: |- + If set to true, allows migration of + the underlying instance where the client resides. + When true, allows migration of the underlying instance where the client resides. Use with caution. + type: boolean + authType: + description: |- + The auth type permitted for this role. Valid choices + are ec2 and iam. Defaults to iam. + The auth type permitted for this role. + type: string + backend: + description: |- + Path to the mounted aws auth backend. + Unique name of the auth backend to configure. + type: string + boundAccountIds: + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they should be using the + account ID specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances with this account ID in their identity document will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundAmiIds: + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they should be using the AMI ID + specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances using this AMI ID will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundEc2InstanceIds: + description: Only EC2 instances that match this instance ID will + be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundIamInstanceProfileArns: + description: |- + If set, defines a constraint on + the EC2 instances that can perform the login operation that they must be + associated with an IAM instance profile ARN which has a prefix that matches + the value specified by this field. The value is prefix-matched as though it + were a glob ending in *. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundIamPrincipalArns: + description: |- + If set, defines the IAM principal that + must be authenticated when auth_type is set to iam. Wildcards are + supported at the end of the ARN. + The IAM principal that must be authenticated using the iam auth method. + items: + type: string + type: array + x-kubernetes-list-type: set + boundIamRoleArns: + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they must match the IAM + role ARN specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances that match this IAM role ARN will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundRegions: + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that the region in their identity + document must match the one specified by this field. auth_type must be set + to ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances in this region will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundSubnetIds: + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they be associated with + the subnet ID that matches the value specified by this field. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + Only EC2 instances associated with this subnet ID will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + boundVpcIds: + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they be associated with the VPC ID + that matches the value specified by this field. auth_type must be set to + ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances associated with this VPC ID will be permitted to log in. + items: + type: string + type: array + x-kubernetes-list-type: set + disallowReauthentication: + description: |- + IF set to true, only allows a + single token to be granted per instance ID. This can only be set when + auth_type is set to ec2. + When true, only allows a single token to be granted per instance ID. + type: boolean + id: + type: string + inferredAwsRegion: + description: |- + When inferred_entity_type is set, this + is the region to search for the inferred entities. Required if + inferred_entity_type is set. This only applies when auth_type is set to + iam. + The region to search for the inferred entities in. + type: string + inferredEntityType: + description: |- + If set, instructs Vault to turn on + inferencing. The only valid value is ec2_instance, which instructs Vault to + infer that the role comes from an EC2 instance in an IAM instance profile. + This only applies when auth_type is set to iam. + The type of inferencing Vault should do. + type: string + namespace: + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + resolveAwsUniqueIds: + description: |- + Only valid when + auth_type is iam. If set to true, the bound_iam_principal_arns are + resolved to AWS Unique + IDs + for the bound principal ARN. This field is ignored when a + bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more + closely mimics the behavior of AWS services in that if an IAM user or role is + deleted and a new one is recreated with the same name, those new users or + roles won't get access to roles in Vault that were permissioned to the prior + principals of the same name. Defaults to true. + Once set to true, this cannot be changed to false without recreating the role. + Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. + type: boolean + role: + description: |- + The name of the role. + Name of the role. + type: string + roleId: + description: |- + The Vault generated role ID. + The Vault generated role ID. + type: string + roleTag: + description: |- + If set, enable role tags for this role. The value set + for this field should be the key of the tag on the EC2 instance. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + The key of the tag on EC2 instance to use for role tags. + type: string + tokenBoundCidrs: + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTtl: + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens + type: boolean + tokenNumUses: + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited + type: number + tokenPeriod: + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. + Generated Token's Period + type: number + tokenPolicies: + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies + items: + type: string + type: array + x-kubernetes-list-type: set + tokenTtl: + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds + type: number + tokenType: + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/package/crds/jwt.vault.upbound.io_authbackendroles.yaml b/package/crds/jwt.vault.upbound.io_authbackendroles.yaml new file mode 100644 index 0000000..d571be7 --- /dev/null +++ b/package/crds/jwt.vault.upbound.io_authbackendroles.yaml @@ -0,0 +1,968 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: authbackendroles.jwt.vault.upbound.io +spec: + group: jwt.vault.upbound.io + names: + categories: + - crossplane + - managed + - vault + kind: AuthBackendRole + listKind: AuthBackendRoleList + plural: authbackendroles + singular: authbackendrole + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: AuthBackendRole is the Schema for the AuthBackendRoles API. Manages + JWT/OIDC auth backend roles in Vault. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AuthBackendRoleSpec defines the desired state of AuthBackendRole + properties: + deletionPolicy: + default: Delete + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + enum: + - Orphan + - Delete + type: string + forProvider: + properties: + allowedRedirectUris: + description: |- + The list of allowed values for redirect_uri during OIDC logins. + Required for OIDC roles + The list of allowed values for redirect_uri during OIDC logins. + items: + type: string + type: array + x-kubernetes-list-type: set + backend: + description: |- + The unique name of the auth backend to configure. + Defaults to jwt. + Unique name of the auth backend to configure. + type: string + boundAudiences: + description: |- + List of aud claims to match against. Any match is sufficient. + List of aud claims to match against. Any match is sufficient. + items: + type: string + type: array + x-kubernetes-list-type: set + boundClaims: + additionalProperties: + type: string + description: |- + If set, a map of claims to values to match against. + A claim's value must be a string, which may contain one value or multiple + comma-separated values, e.g. "red" or "red,green,blue". + Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + type: object + x-kubernetes-map-type: granular + boundClaimsType: + description: |- + How to interpret values in the claims/values + map (bound_claims): can be either string (exact match) or glob (wildcard + match). Requires Vault 1.4.0 or above. + How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). + type: string + boundSubject: + description: |- + If set, requires that the sub claim matches + this value. + If set, requires that the sub claim matches this value. + type: string + claimMappings: + additionalProperties: + type: string + description: |- + If set, a map of claims (keys) to be copied + to specified metadata fields (values). + Map of claims (keys) to be copied to specified metadata fields (values). + type: object + x-kubernetes-map-type: granular + clockSkewLeeway: + description: |- + The amount of leeway to add to all claims to account for clock skew, in + seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + type: number + disableBoundClaimsParsing: + description: Disable bound claim value parsing. Useful when values + contain commas. + type: boolean + expirationLeeway: + description: |- + The amount of leeway to add to expiration (exp) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + type: number + groupsClaim: + description: |- + The claim to use to uniquely identify + the set of groups to which the user belongs; this will be used as the names + for the Identity group aliases created due to a successful login. The claim + value must be a list of strings. + The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. + type: string + maxAge: + description: |- + Specifies the allowable elapsed time in seconds since the last time + the user was actively authenticated with the OIDC provider. + Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. + type: number + namespace: + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + notBeforeLeeway: + description: |- + The amount of leeway to add to not before (nbf) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + type: number + oidcScopes: + description: |- + If set, a list of OIDC scopes to be used with an OIDC role. + The standard scope "openid" is automatically included and need not be specified. + List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + items: + type: string + type: array + x-kubernetes-list-type: set + roleName: + description: |- + The name of the role. + Name of the role. + type: string + roleType: + description: |- + Type of role, either "oidc" (default) or "jwt". + Type of role, either "oidc" (default) or "jwt" + type: string + tokenBoundCidrs: + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTtl: + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens + type: boolean + tokenNumUses: + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited + type: number + tokenPeriod: + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. + Generated Token's Period + type: number + tokenPolicies: + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies + items: + type: string + type: array + x-kubernetes-list-type: set + tokenTtl: + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds + type: number + tokenType: + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch + type: string + userClaim: + description: |- + The claim to use to uniquely identify + the user; this will be used as the name for the Identity entity alias created + due to a successful login. + The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. + type: string + userClaimJsonPointer: + description: |- + Specifies if the user_claim value uses + JSON pointer + syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + Requires Vault 1.11+. + Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + type: boolean + verboseOidcLogging: + description: |- + Log received OIDC tokens and claims when debug-level + logging is active. Not recommended in production since sensitive information may be present + in OIDC responses. + Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. + type: boolean + type: object + initProvider: + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. + properties: + allowedRedirectUris: + description: |- + The list of allowed values for redirect_uri during OIDC logins. + Required for OIDC roles + The list of allowed values for redirect_uri during OIDC logins. + items: + type: string + type: array + x-kubernetes-list-type: set + backend: + description: |- + The unique name of the auth backend to configure. + Defaults to jwt. + Unique name of the auth backend to configure. + type: string + boundAudiences: + description: |- + List of aud claims to match against. Any match is sufficient. + List of aud claims to match against. Any match is sufficient. + items: + type: string + type: array + x-kubernetes-list-type: set + boundClaims: + additionalProperties: + type: string + description: |- + If set, a map of claims to values to match against. + A claim's value must be a string, which may contain one value or multiple + comma-separated values, e.g. "red" or "red,green,blue". + Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + type: object + x-kubernetes-map-type: granular + boundClaimsType: + description: |- + How to interpret values in the claims/values + map (bound_claims): can be either string (exact match) or glob (wildcard + match). Requires Vault 1.4.0 or above. + How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). + type: string + boundSubject: + description: |- + If set, requires that the sub claim matches + this value. + If set, requires that the sub claim matches this value. + type: string + claimMappings: + additionalProperties: + type: string + description: |- + If set, a map of claims (keys) to be copied + to specified metadata fields (values). + Map of claims (keys) to be copied to specified metadata fields (values). + type: object + x-kubernetes-map-type: granular + clockSkewLeeway: + description: |- + The amount of leeway to add to all claims to account for clock skew, in + seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + type: number + disableBoundClaimsParsing: + description: Disable bound claim value parsing. Useful when values + contain commas. + type: boolean + expirationLeeway: + description: |- + The amount of leeway to add to expiration (exp) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + type: number + groupsClaim: + description: |- + The claim to use to uniquely identify + the set of groups to which the user belongs; this will be used as the names + for the Identity group aliases created due to a successful login. The claim + value must be a list of strings. + The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. + type: string + maxAge: + description: |- + Specifies the allowable elapsed time in seconds since the last time + the user was actively authenticated with the OIDC provider. + Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. + type: number + namespace: + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + notBeforeLeeway: + description: |- + The amount of leeway to add to not before (nbf) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + type: number + oidcScopes: + description: |- + If set, a list of OIDC scopes to be used with an OIDC role. + The standard scope "openid" is automatically included and need not be specified. + List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + items: + type: string + type: array + x-kubernetes-list-type: set + roleName: + description: |- + The name of the role. + Name of the role. + type: string + roleType: + description: |- + Type of role, either "oidc" (default) or "jwt". + Type of role, either "oidc" (default) or "jwt" + type: string + tokenBoundCidrs: + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTtl: + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens + type: boolean + tokenNumUses: + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited + type: number + tokenPeriod: + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. + Generated Token's Period + type: number + tokenPolicies: + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies + items: + type: string + type: array + x-kubernetes-list-type: set + tokenTtl: + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds + type: number + tokenType: + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch + type: string + userClaim: + description: |- + The claim to use to uniquely identify + the user; this will be used as the name for the Identity entity alias created + due to a successful login. + The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. + type: string + userClaimJsonPointer: + description: |- + Specifies if the user_claim value uses + JSON pointer + syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + Requires Vault 1.11+. + Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + type: boolean + verboseOidcLogging: + description: |- + Log received OIDC tokens and claims when debug-level + logging is active. Not recommended in production since sensitive information may be present + in OIDC responses. + Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. + type: boolean + type: object + managementPolicies: + default: + - '*' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + items: + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. + enum: + - Observe + - Create + - Update + - Delete + - LateInitialize + - '*' + type: string + type: array + providerConfigRef: + default: + name: default + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. + type: object + type: + description: |- + Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + x-kubernetes-validations: + - message: spec.forProvider.roleName is a required parameter + rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies + || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName) + || (has(self.initProvider) && has(self.initProvider.roleName))' + - message: spec.forProvider.userClaim is a required parameter + rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies + || ''Update'' in self.managementPolicies) || has(self.forProvider.userClaim) + || (has(self.initProvider) && has(self.initProvider.userClaim))' + status: + description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. + properties: + atProvider: + properties: + allowedRedirectUris: + description: |- + The list of allowed values for redirect_uri during OIDC logins. + Required for OIDC roles + The list of allowed values for redirect_uri during OIDC logins. + items: + type: string + type: array + x-kubernetes-list-type: set + backend: + description: |- + The unique name of the auth backend to configure. + Defaults to jwt. + Unique name of the auth backend to configure. + type: string + boundAudiences: + description: |- + List of aud claims to match against. Any match is sufficient. + List of aud claims to match against. Any match is sufficient. + items: + type: string + type: array + x-kubernetes-list-type: set + boundClaims: + additionalProperties: + type: string + description: |- + If set, a map of claims to values to match against. + A claim's value must be a string, which may contain one value or multiple + comma-separated values, e.g. "red" or "red,green,blue". + Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + type: object + x-kubernetes-map-type: granular + boundClaimsType: + description: |- + How to interpret values in the claims/values + map (bound_claims): can be either string (exact match) or glob (wildcard + match). Requires Vault 1.4.0 or above. + How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). + type: string + boundSubject: + description: |- + If set, requires that the sub claim matches + this value. + If set, requires that the sub claim matches this value. + type: string + claimMappings: + additionalProperties: + type: string + description: |- + If set, a map of claims (keys) to be copied + to specified metadata fields (values). + Map of claims (keys) to be copied to specified metadata fields (values). + type: object + x-kubernetes-map-type: granular + clockSkewLeeway: + description: |- + The amount of leeway to add to all claims to account for clock skew, in + seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + type: number + disableBoundClaimsParsing: + description: Disable bound claim value parsing. Useful when values + contain commas. + type: boolean + expirationLeeway: + description: |- + The amount of leeway to add to expiration (exp) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + type: number + groupsClaim: + description: |- + The claim to use to uniquely identify + the set of groups to which the user belongs; this will be used as the names + for the Identity group aliases created due to a successful login. The claim + value must be a list of strings. + The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. + type: string + id: + type: string + maxAge: + description: |- + Specifies the allowable elapsed time in seconds since the last time + the user was actively authenticated with the OIDC provider. + Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. + type: number + namespace: + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + notBeforeLeeway: + description: |- + The amount of leeway to add to not before (nbf) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + type: number + oidcScopes: + description: |- + If set, a list of OIDC scopes to be used with an OIDC role. + The standard scope "openid" is automatically included and need not be specified. + List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + items: + type: string + type: array + x-kubernetes-list-type: set + roleName: + description: |- + The name of the role. + Name of the role. + type: string + roleType: + description: |- + Type of role, either "oidc" (default) or "jwt". + Type of role, either "oidc" (default) or "jwt" + type: string + tokenBoundCidrs: + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTtl: + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens + type: boolean + tokenNumUses: + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited + type: number + tokenPeriod: + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. + Generated Token's Period + type: number + tokenPolicies: + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies + items: + type: string + type: array + x-kubernetes-list-type: set + tokenTtl: + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds + type: number + tokenType: + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch + type: string + userClaim: + description: |- + The claim to use to uniquely identify + the user; this will be used as the name for the Identity entity alias created + due to a successful login. + The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. + type: string + userClaimJsonPointer: + description: |- + Specifies if the user_claim value uses + JSON pointer + syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + Requires Vault 1.11+. + Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + type: boolean + verboseOidcLogging: + description: |- + Log received OIDC tokens and claims when debug-level + logging is active. Not recommended in production since sensitive information may be present + in OIDC responses. + Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. + type: boolean + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/package/crds/vault.vault.upbound.io_policies.yaml b/package/crds/vault.vault.upbound.io_policies.yaml new file mode 100644 index 0000000..7b5b5ac --- /dev/null +++ b/package/crds/vault.vault.upbound.io_policies.yaml @@ -0,0 +1,370 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: policies.vault.vault.upbound.io +spec: + group: vault.vault.upbound.io + names: + categories: + - crossplane + - managed + - vault + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy is the Schema for the Policys API. Writes arbitrary policies + for Vault + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PolicySpec defines the desired state of Policy + properties: + deletionPolicy: + default: Delete + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + enum: + - Orphan + - Delete + type: string + forProvider: + properties: + namespace: + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + policy: + description: |- + String containing a Vault policy + The policy document + type: string + type: object + initProvider: + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. + properties: + namespace: + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + policy: + description: |- + String containing a Vault policy + The policy document + type: string + type: object + managementPolicies: + default: + - '*' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + items: + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. + enum: + - Observe + - Create + - Update + - Delete + - LateInitialize + - '*' + type: string + type: array + providerConfigRef: + default: + name: default + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. + type: object + type: + description: |- + Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + x-kubernetes-validations: + - message: spec.forProvider.policy is a required parameter + rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies + || ''Update'' in self.managementPolicies) || has(self.forProvider.policy) + || (has(self.initProvider) && has(self.initProvider.policy))' + status: + description: PolicyStatus defines the observed state of Policy. + properties: + atProvider: + properties: + id: + type: string + namespace: + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + policy: + description: |- + String containing a Vault policy + The policy document + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} From b8b57e4edc6ad885bb0bc423ce51073223638e50 Mon Sep 17 00:00:00 2001 From: Rafael da Fonseca Date: Tue, 15 Oct 2024 11:29:18 +0100 Subject: [PATCH 2/2] fix broken CI --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72a840e..c859197 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -122,7 +122,7 @@ jobs: run: make generate - name: Upload File as Artifact - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: schema.json path: config/schema.json @@ -282,7 +282,7 @@ jobs: BUILD_ARGS: "--load" - name: Publish Artifacts to GitHub - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: output path: _output/**