diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml index 3ef9807..df4d458 100644 --- a/.github/workflows/build-and-release.yaml +++ b/.github/workflows/build-and-release.yaml @@ -21,12 +21,12 @@ jobs: uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: - go-version: '1.19' + go-version: '1.20' - name: Go caches - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ~/go/pkg/mod @@ -49,12 +49,12 @@ jobs: uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: - go-version: '1.19' + go-version: '1.20' - name: Go caches - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ~/go/pkg/mod @@ -79,6 +79,7 @@ jobs: IMAGE_TAG=sha-${GITHUB_SHA:0:7} [[ ${GITHUB_REF_TYPE} == "tag" ]] && IMAGE_TAG=${GITHUB_REF_NAME} echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_OUTPUT + echo "IMAGE_TAG=${IMAGE_TAG}" - name: Publish container images env: @@ -87,6 +88,7 @@ jobs: DIST_DIR: /tmp/dist run: | IMAGE_TAG=${{ steps.image-tag.outputs.IMAGE_TAG }} make release + echo "generated images with tag ${{steps.image-tag.outputs.IMAGE_TAG}}" - name: Upload artifact if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') @@ -104,7 +106,7 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml index b055b5f..6d0f8c8 100644 --- a/.github/workflows/e2e-tests.yaml +++ b/.github/workflows/e2e-tests.yaml @@ -23,9 +23,9 @@ jobs: -d '{"state":"pending","target_url":"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}","context":"${{ github.workflow }}"}' - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: - go-version: '1.19' + go-version: '1.20' - name: Go caches uses: actions/cache@v3 @@ -41,9 +41,9 @@ jobs: uses: container-tools/kind-action@v2 with: version: v0.13.0 - knative_eventing: v1.4.0 - knative_serving: v1.4.0 - knative_kourier: v1.4.0 + knative_eventing: v1.6.0 + knative_serving: v1.6.0 + knative_kourier: v1.6.0 # ko loads images directly into KinD's container runtime when # KO_DOCKER_REPO is set to the rogue value "kind.local", so we have no # use for a container registry. @@ -90,15 +90,20 @@ jobs: - name: Deploy TriggerMesh run: | + echo "Image tag being used: ${{ github.event.client_payload.image_tag }}" sed -i config/500-*.yaml \ -e "s|ko://github.com/triggermesh/triggermesh-event-sources-bundle/cmd/\(.*$\)|gcr.io/triggermesh/event-sources-bundle/\1:${{ github.event.client_payload.image_tag }}|g" kubectl apply -f config/ - kubectl -n triggermesh wait deployments.app --timeout=5m --for=condition=Available -l app.kubernetes.io/part-of=triggermesh + - name: Wait for TriggerMesh deployment + run: | kubectl -n knative-serving wait deployments.app --timeout=5m --for=condition=Available -l app.kubernetes.io/name=knative-serving kubectl -n knative-eventing wait deployments.app --timeout=5m --for=condition=Available -l app.kubernetes.io/name=knative-eventing + kubectl -n triggermesh get pods -l app.kubernetes.io/part-of=triggermesh + kubectl -n triggermesh wait deployments.app --timeout=5m --for=condition=Available -l app.kubernetes.io/part-of=triggermesh + - name: Install Ginkgo run: go install github.com/onsi/ginkgo/v2/ginkgo diff --git a/.github/workflows/generated.yaml b/.github/workflows/generated.yaml index b35ee7c..d46ce49 100644 --- a/.github/workflows/generated.yaml +++ b/.github/workflows/generated.yaml @@ -13,15 +13,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v4 with: go-version: '1.20' - name: Go caches - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ~/go/pkg/mod diff --git a/.github/workflows/licenses.yaml b/.github/workflows/licenses.yaml index 708c33b..537087e 100644 --- a/.github/workflows/licenses.yaml +++ b/.github/workflows/licenses.yaml @@ -13,15 +13,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v4 with: go-version: '1.20' - name: Go caches - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ~/.cache/go-build diff --git a/config/300-awscloudwatchlogssource.yaml b/config/300-awscloudwatchlogssource.yaml index 764d1f7..7545e18 100644 --- a/config/300-awscloudwatchlogssource.yaml +++ b/config/300-awscloudwatchlogssource.yaml @@ -117,6 +117,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -127,14 +149,36 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. - For more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] sink: description: The destination of events generated from Amazon CloudWatch Logs. type: object diff --git a/config/300-awscloudwatchsource.yaml b/config/300-awscloudwatchsource.yaml index aa3395a..6a4e556 100644 --- a/config/300-awscloudwatchsource.yaml +++ b/config/300-awscloudwatchsource.yaml @@ -176,6 +176,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -186,14 +208,35 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. - For more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] sink: description: The destination of events generated from Amazon CloudWatch metrics. type: object diff --git a/config/300-awscodecommitsource.yaml b/config/300-awscodecommitsource.yaml index 74646af..2e1a939 100644 --- a/config/300-awscodecommitsource.yaml +++ b/config/300-awscodecommitsource.yaml @@ -127,6 +127,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -137,14 +159,36 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. - For more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] sink: description: The destination of events sourced from Amazon CodeCommit. type: object diff --git a/config/300-awscognitoidentitysource.yaml b/config/300-awscognitoidentitysource.yaml index 5d2b88d..ed43b88 100644 --- a/config/300-awscognitoidentitysource.yaml +++ b/config/300-awscognitoidentitysource.yaml @@ -114,6 +114,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -124,14 +146,36 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. - For more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] sink: description: The destination of events sourced from the Amazon Cognito Identity Pool. type: object diff --git a/config/300-awscognitouserpoolsource.yaml b/config/300-awscognitouserpoolsource.yaml index 20dc362..b926a2b 100644 --- a/config/300-awscognitouserpoolsource.yaml +++ b/config/300-awscognitouserpoolsource.yaml @@ -114,6 +114,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -124,14 +146,36 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. - For more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] sink: description: The destination of events sourced from the Amazon Cognito User Pool. type: object diff --git a/config/300-awsdynamodbsource.yaml b/config/300-awsdynamodbsource.yaml index 924db7f..e764be2 100644 --- a/config/300-awsdynamodbsource.yaml +++ b/config/300-awsdynamodbsource.yaml @@ -113,6 +113,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -123,14 +145,36 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. - For more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] sink: description: The destination of events sourced from Amazon DynamoDB. type: object diff --git a/config/300-awseventbridgesource.yaml b/config/300-awseventbridgesource.yaml index a6ac03a..b3cf9ed 100644 --- a/config/300-awseventbridgesource.yaml +++ b/config/300-awseventbridgesource.yaml @@ -131,6 +131,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -141,21 +163,36 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: |- - (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. For - more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html - - Beware that this IAM role only applies to the receive adapter, for retrieving EventBridge events - from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM - permissions for interacting with the Amazon EventBridge and (optionally) Amazon SQS management APIs. These - can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that - is located inside the 'triggermesh' namespace. + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] sink: description: The destination of events sourced from Amazon EventBridge. type: object diff --git a/config/300-awskinesissource.yaml b/config/300-awskinesissource.yaml index 66460cc..f745883 100644 --- a/config/300-awskinesissource.yaml +++ b/config/300-awskinesissource.yaml @@ -112,6 +112,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -122,14 +144,36 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. - For more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] sink: description: The destination of events sourced from Amazon Kinesis. type: object diff --git a/config/300-awsperformanceinsightssource.yaml b/config/300-awsperformanceinsightssource.yaml index 345c0b6..3bc4e96 100644 --- a/config/300-awsperformanceinsightssource.yaml +++ b/config/300-awsperformanceinsightssource.yaml @@ -125,6 +125,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -135,14 +157,36 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. - For more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] sink: description: The destination of events generated by Amazon Performance Insights. type: object diff --git a/config/300-awss3source.yaml b/config/300-awss3source.yaml index 0959cda..564e74c 100644 --- a/config/300-awss3source.yaml +++ b/config/300-awss3source.yaml @@ -186,6 +186,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -196,21 +218,36 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: |- - (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. For - more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html - - Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications - from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM - permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These - can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that - is located inside the 'triggermesh' namespace. + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] sink: description: The destination of events sourced from Amazon S3. type: object diff --git a/config/300-awssqssource.yaml b/config/300-awssqssource.yaml index 0be8e57..0a7052a 100644 --- a/config/300-awssqssource.yaml +++ b/config/300-awssqssource.yaml @@ -128,6 +128,28 @@ spec: oneOf: - required: [value] - required: [valueFromSecret] + sessionToken: + description: The AWS session token for temporary credentials. + type: object + properties: + value: + description: Literal value of the session token. + type: string + format: password + valueFromSecret: + description: A reference to a Kubernetes Secret object containing the session token. + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] assumeIamRole: description: |- The ARN of an IAM role for cross-account or remote EKS cluster authorization. @@ -138,14 +160,36 @@ spec: - accessKeyID - secretAccessKey iamRole: - description: (Amazon EKS only) The ARN of an IAM role which can be impersonated to obtain AWS permissions. - For more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide - at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + description: Deprecated, please use "iam" object instead. type: string pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + iam: + description: The IAM role authentication parameters. For Amazon EKS only. + + type: object + properties: + roleArn: + description: |- + The ARN of an IAM role which can be impersonated to obtain AWS permissions. For + more information about IAM roles for service accounts, please refer to the Amazon EKS User Guide + at https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + + Beware that this IAM role only applies to the receive adapter, for retrieving S3 notifications + from the intermediate Amazon SQS queue. The TriggerMesh controller requires its own set of IAM + permissions for interacting with the Amazon S3 and (optionally) Amazon SQS management APIs. These + can be granted via a separate IAM role, through the 'triggermesh-controller' serviceAccount that + is located inside the 'triggermesh' namespace. + type: string + pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/.+$ + serviceAccount: + description: |- + The name of the service account to be assigned on the receive adapter. Can be created externally and + shared between multiple components. + type: string oneOf: - required: [credentials] - required: [iamRole] + - required: [iam] endpoint: description: Customizations of the AWS REST API endpoint. type: object diff --git a/config/300-azureservicebussource.yaml b/config/300-azureservicebussource.yaml index ebd20e7..7fd53a2 100644 --- a/config/300-azureservicebussource.yaml +++ b/config/300-azureservicebussource.yaml @@ -237,6 +237,9 @@ spec: webSocketsEnable: description: Boolean to indicate to use WebSockets. type: boolean + maxConcurrent: + description: maximum number of goroutines that will be used to process messages. default 10. + type: integer sink: description: The destination of events sourced from the Azure Service Bus. type: object diff --git a/config/300-googlecloudauditlogssource.yaml b/config/300-googlecloudauditlogssource.yaml index 77e1dea..ee3bdcb 100644 --- a/config/300-googlecloudauditlogssource.yaml +++ b/config/300-googlecloudauditlogssource.yaml @@ -87,30 +87,8 @@ spec: oneOf: - required: [project] - required: [topic] - serviceAccountKey: - description: Deprecated - please use spec.auth.serviceAccountKey. Service account key used to authenticate - the event source and allow it to interact with Google Cloud APIs. Only the JSON format is supported. - type: object - properties: - value: - description: Literal value of the service account key. - type: string - valueFromSecret: - description: A reference to a Kubernetes Secret object containing the service account key. - type: object - properties: - name: - type: string - key: - type: string - required: - - name - - key - oneOf: - - required: [value] - - required: [valueFromSecret] auth: - description: + description: Authentication options for Google Cloud Platform API. type: object properties: serviceAccountKey: @@ -137,17 +115,16 @@ spec: - required: [valueFromSecret] gcpServiceAccount: description: GCP Service account name to impersonate Identity and Access Management (IAM) service accounts - to access Google Cloud services. + to access Google Cloud services. For the GKE platform only. More details about workload identity at + https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity pattern: ^[a-z0-9-]{6,30}@[a-z0-9-]{1,30}(?:\.[a-z0-9-]{1,30})?\.gserviceaccount\.com$ type: string kubernetesServiceAccount: - description: The name of the Kubernetes Service account that will be created and bound to the gcpServiceAccount - to act as an IAM service account. Optional, by default the Kubernetes service account name will be generated - by the controller. + description: The name of the Kubernetes Service account that will be annotated with the gcpServiceAccount + identity. If the service account already exists it will be assigned to the receive adapter, otherwise + controller will create it. Optional, by default the Kubernetes service account will be generated by + the controller. type: string - oneOf: - - required: [serviceAccountKey] - - required: [gcpServiceAccount] sink: description: The destination of events received via change notifications. type: object @@ -265,6 +242,7 @@ spec: - methodName - pubsub - sink + - auth status: description: Reported status of the event source. type: object diff --git a/config/300-googlecloudbillingsource.yaml b/config/300-googlecloudbillingsource.yaml index 07d98d6..f3f978a 100644 --- a/config/300-googlecloudbillingsource.yaml +++ b/config/300-googlecloudbillingsource.yaml @@ -79,28 +79,6 @@ spec: oneOf: - required: [project] - required: [topic] - serviceAccountKey: - description: Deprecated - please use spec.auth.serviceAccountKey. Service account key used to authenticate - the event source and allow it to interact with Google Cloud APIs. Only the JSON format is supported. - type: object - properties: - value: - description: Literal value of the service account key. - type: string - valueFromSecret: - description: A reference to a Kubernetes Secret object containing the service account key. - type: object - properties: - name: - type: string - key: - type: string - required: - - name - - key - oneOf: - - required: [value] - - required: [valueFromSecret] auth: description: type: object @@ -129,17 +107,16 @@ spec: - required: [valueFromSecret] gcpServiceAccount: description: GCP Service account name to impersonate Identity and Access Management (IAM) service accounts - to access Google Cloud services. + to access Google Cloud services. For the GKE platform only. More details about workload identity at + https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity pattern: ^[a-z0-9-]{6,30}@[a-z0-9-]{1,30}(?:\.[a-z0-9-]{1,30})?\.gserviceaccount\.com$ type: string kubernetesServiceAccount: - description: The name of the Kubernetes Service account that will be created and bound to the gcpServiceAccount - to act as an IAM service account. Optional, by default the Kubernetes service account name will be generated - by the controller. + description: The name of the Kubernetes Service account that will be annotated with the gcpServiceAccount + identity. If the service account already exists it will be assigned to the receive adapter, otherwise + controller will create it. Optional, by default the Kubernetes service account will be generated by + the controller. type: string - oneOf: - - required: [serviceAccountKey] - - required: [gcpServiceAccount] sink: description: The destination of events received via change notifications. type: object @@ -257,6 +234,7 @@ spec: - budgetId - pubsub - sink + - auth status: description: Reported status of the event source. type: object diff --git a/config/300-googlecloudpubsubsource.yaml b/config/300-googlecloudpubsubsource.yaml index 170f349..59eab86 100644 --- a/config/300-googlecloudpubsubsource.yaml +++ b/config/300-googlecloudpubsubsource.yaml @@ -66,28 +66,6 @@ spec: on behalf of the user. type: string pattern: ^[a-zA-Z][\w-.~%+]{2,254}$ - serviceAccountKey: - description: Deprecated - please use spec.auth.serviceAccountKey. Service account key used to authenticate - the event source and allow it to interact with Google Cloud APIs. Only the JSON format is supported. - type: object - properties: - value: - description: Literal value of the service account key. - type: string - valueFromSecret: - description: A reference to a Kubernetes Secret object containing the service account key. - type: object - properties: - name: - type: string - key: - type: string - required: - - name - - key - oneOf: - - required: [value] - - required: [valueFromSecret] auth: description: type: object @@ -116,17 +94,16 @@ spec: - required: [valueFromSecret] gcpServiceAccount: description: GCP Service account name to impersonate Identity and Access Management (IAM) service accounts - to access Google Cloud services. + to access Google Cloud services. For the GKE platform only. More details about workload identity at + https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity pattern: ^[a-z0-9-]{6,30}@[a-z0-9-]{1,30}(?:\.[a-z0-9-]{1,30})?\.gserviceaccount\.com$ type: string kubernetesServiceAccount: - description: The name of the Kubernetes Service account that will be created and bound to the gcpServiceAccount - to act as an IAM service account. Optional, by default the Kubernetes service account name will be generated - by the controller. + description: The name of the Kubernetes Service account that will be annotated with the gcpServiceAccount + identity. If the service account already exists it will be assigned to the receive adapter, otherwise + controller will create it. Optional, by default the Kubernetes service account will be generated by + the controller. type: string - oneOf: - - required: [serviceAccountKey] - - required: [gcpServiceAccount] sink: description: The destination of events received via change notifications. type: object @@ -242,6 +219,7 @@ spec: required: - topic - sink + - auth status: description: Reported status of the event source. type: object diff --git a/config/300-googlecloudsourcerepositoriessource.yaml b/config/300-googlecloudsourcerepositoriessource.yaml index 934c3be..c537f45 100644 --- a/config/300-googlecloudsourcerepositoriessource.yaml +++ b/config/300-googlecloudsourcerepositoriessource.yaml @@ -78,28 +78,6 @@ spec: If unspecified, it defaults to the Compute Engine default service account. type: string format: email - serviceAccountKey: - description: Deprecated - please use spec.auth.serviceAccountKey. Service account key used to authenticate - the event source and allow it to interact with Google Cloud APIs. Only the JSON format is supported. - type: object - properties: - value: - description: Literal value of the service account key. - type: string - valueFromSecret: - description: A reference to a Kubernetes Secret object containing the service account key. - type: object - properties: - name: - type: string - key: - type: string - required: - - name - - key - oneOf: - - required: [value] - - required: [valueFromSecret] auth: description: type: object @@ -128,17 +106,16 @@ spec: - required: [valueFromSecret] gcpServiceAccount: description: GCP Service account name to impersonate Identity and Access Management (IAM) service accounts - to access Google Cloud services. + to access Google Cloud services. For the GKE platform only. More details about workload identity at + https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity pattern: ^[a-z0-9-]{6,30}@[a-z0-9-]{1,30}(?:\.[a-z0-9-]{1,30})?\.gserviceaccount\.com$ type: string kubernetesServiceAccount: - description: The name of the Kubernetes Service account that will be created and bound to the gcpServiceAccount - to act as an IAM service account. Optional, by default the Kubernetes service account name will be generated - by the controller. + description: The name of the Kubernetes Service account that will be annotated with the gcpServiceAccount + identity. If the service account already exists it will be assigned to the receive adapter, otherwise + controller will create it. Optional, by default the Kubernetes service account will be generated by + the controller. type: string - oneOf: - - required: [serviceAccountKey] - - required: [gcpServiceAccount] sink: description: The destination of events received via change notifications. type: object @@ -254,6 +231,7 @@ spec: required: - repository - sink + - auth status: description: Reported status of the event source. type: object diff --git a/config/300-googlecloudstoragesource.yaml b/config/300-googlecloudstoragesource.yaml index 665d1ef..af12b2e 100644 --- a/config/300-googlecloudstoragesource.yaml +++ b/config/300-googlecloudstoragesource.yaml @@ -24,7 +24,11 @@ metadata: annotations: registry.knative.dev/eventTypes: | [ - { "type": "com.google.cloud.storage.notification" } + { "type": "com.google.cloud.storage.notification" }, + { "type": "com.google.cloud.storage.objectfinalize" }, + { "type": "com.google.cloud.storage.objectmetadataupdate" }, + { "type": "com.google.cloud.storage.objectdelete" }, + { "type": "com.google.cloud.storage.objectarchive" } ] spec: group: sources.triggermesh.io @@ -92,28 +96,6 @@ spec: objectNamePrefix: description: If present, will only receive notifications for objects whose names that begin with this prefix. type: string - serviceAccountKey: - description: Deprecated - please use spec.auth.serviceAccountKey. Service account key used to authenticate - the event source and allow it to interact with Google Cloud APIs. Only the JSON format is supported. - type: object - properties: - value: - description: Literal value of the service account key. - type: string - valueFromSecret: - description: A reference to a Kubernetes Secret object containing the service account key. - type: object - properties: - name: - type: string - key: - type: string - required: - - name - - key - oneOf: - - required: [value] - - required: [valueFromSecret] auth: description: type: object @@ -142,17 +124,16 @@ spec: - required: [valueFromSecret] gcpServiceAccount: description: GCP Service account name to impersonate Identity and Access Management (IAM) service accounts - to access Google Cloud services. + to access Google Cloud services. For the GKE platform only. More details about workload identity at + https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity pattern: ^[a-z0-9-]{6,30}@[a-z0-9-]{1,30}(?:\.[a-z0-9-]{1,30})?\.gserviceaccount\.com$ type: string kubernetesServiceAccount: - description: The name of the Kubernetes Service account that will be created and bound to the gcpServiceAccount - to act as an IAM service account. Optional, by default the Kubernetes service account name will be generated - by the controller. + description: The name of the Kubernetes Service account that will be annotated with the gcpServiceAccount + identity. If the service account already exists it will be assigned to the receive adapter, otherwise + controller will create it. Optional, by default the Kubernetes service account will be generated by + the controller. type: string - oneOf: - - required: [serviceAccountKey] - - required: [gcpServiceAccount] sink: description: The destination of events received via change notifications. type: object @@ -269,6 +250,7 @@ spec: - bucket - pubsub - sink + - auth status: description: Reported status of the event source. type: object